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ABSTRACT 

As  the  number  of  computers  and  computer  systems  in  existence  has  grown  over 
the  past  few  decades,  we  have  come  to  depend  on  them  to  maintain  the  security  of  private 
or  sensitive  information.  The  execution  of  a  program  may  cause  leaks  of  private  or 
sensitive  information  from  the  computer.  Static  secure  flow  analysis  is  an  attempt  to 
detect  these  leaks  prior  to  program  execution. 

It  is  possible  to  analyze  programs  by  hand,  but  this  is  often  impractical  for  large 
programs.  A  better  approach  is  to  automate  the  analysis;  which  is  what  this  thesis 
explores. 

We  describe  some  previous  research  and  give  background  information  about 
secure  flow  analysis.  A  secure  flow  analyzer  is  presented.  It  implements  a  secure  flow 
type  inference  algorithm,  for  a  subset  of  Java  1 .0.2,  using  a  parser  generator  called  Java 
Compiler  Compiler  (JavaCC).  Semantic  actions  are  inserted  into  a  grammar  specification 
to  perform  the  secure  flow  analysis  on  a  given  program. 


VI 


TABLE  OF  CONTENTS 

I.  INTRODUCTION. 1 

A.  SECURE  INFORMATION  FLOW 1 

B.  A  TYPE  BASED  TREATMENT  OF  SECURE  INFORMATION 
FLOW.. 2 

C.  A  TYPE  INFERENCE  ALGORITHM 2 

D.  AN  APPLICATION  OF  THE  ALGORITHM .3 

E.  THESIS  ORGANIZATION 4 

II.  THE  LATTICE  MODEL  OF  SECURE  INFORMATION  FLOW .5 

III.  A  SECURE  FLOW  TYPE  SYSTEM 7 

IV.  A  SECURE  FLOW  TYPE  INFERENCE  ALGORITHM 1 1 

V.  IMPLEMENTATION  OF  THE  TYPE  INFERENCE  ALGORITHM 1 5 

A.  BASIC  DESCRIPTION  OF  A  JAVACC  GRAMMAR 
SPECIFICATION 15 

B.  IMPLEMENTING  THE  ALGORITHM  USING  JAVACC 17 

C.  RESTRICTIONS  IMPOSED  ON  PROGRAMS. 24 

VI.  AN  EXAMPLE  RUN  OF  THE  STATIC  ANALYZER 27 

VII.  CONCLUSIONS 29 

LIST  OF  REFFERENCES 31 

APPENDIX  A.  JAVA  GRAMMAR  SPECIFICATION.. 33 

APPENDIX  B.  STATIC  ANALYZER  SOURCE  CODE 67 

APPENDIX  C.  TEST  PROGRAMS 79 

INITIAL  DISTRIBUTION  LIST  85 


VI 1 


Vlll 


LIST  OF  FIGURES 

Figure  1  Core  Language 1 1 

Figure  2  Volpano-Smith  Type  Inference  Algorithm 12 

Figure  3  Example  Program 13 

Figure  4  Algorithm  Results  of  Sample  program 14 

Figure  5  Algorithm  Results  after  Type  Simplification 14 

Figure  6  Principle  Type  after  Applying  Monotonicity-Based  Instantiations 14 

Figure  7  Sample  Productions ._ 16 

Figure  8  Assignment  Production 21 

Figure  9  Java  Specification  Productions  to  Handle  Local  Variable 

Declarations  22 

Figure  10  Specification  Changes  for  letvar  Statement _ 24 

Figure  1 1  Static  Analyzer  Test  Program 27 

Figure  12  Test  Program  Results _ 27 


IX 


ACKNOWLEDGEMENT 

To  Dr.  Dennis  Volpano,  I  would  like  to  express  my  deepest  thanks  for  being  so 
patient  while  repeatedly  explaining  the  required  concepts.  Your  support,  guidance, 
knowledge,  instruction  and  ability  to  explain  difficult  concepts  was  instrumental  to  my 
being  able  to  complete  this  thesis. 

To  Dr.  Craig  Rasmussen,  I  would  like  to  express  my  sincere  gratitude  for  your 
support,  guidance,  and  dedication.  Your  attention  to  detail  was  essential  through  this 
process. 

To  my  wife,  Cindy,  and  daughter,  Madison,  who  have  cheerfully  put  up  with  late 
nights  and  missed  dinners.  I  thank  you  for  your  support,  understanding  and  devotion. 


\i 


Xll 


I.  INTRODUCTION 

The  number  of  computers  and  computer  networks  has  exploded  over  the  past  few 
decades,  and  computer  security  is  a  major  concern.  In  a  multi-level  system  where 
information  exists  with  different  security  classifications,  such  as  a  military  computer 
system,  we  want  to  protect  information  with  a  high  security  classification.  It  is  desirable 
to  have  an  automated  tool  to  detect  whether  information  we  wish  to  keep  secret  in 
applications  remains  secret  and  is  not  leaked.  This  thesis  introduces  a  program  that  will 
statically  analyze  a  subset  of  Java  programs  to  ensure  that  private  information  is  not 
leaked. 
A.         SECURE  INFORMATION  FLOW 

Verifying  secure  information  flow  within  computer  systems  is  necessary  in  order 
to  protect  sensitive  information,  especially  in  a  military  system.  Denning  and  Denning 
state  that  information  flow  occurs  from  a  storage  object  x  to  another  storage  object  y 
when  information  stored  in  x  is  transferred  to  y,  or  used  to  derive  information  transferred 
to  y.  A  flow  may  be  either  explicit  or  implicit  [1]. 

Explicit  information  flow  occurs  when  information  is  directly  copied  or 
transferred  from  one  storage  object  to  another.  Consider  the  code  segment  "y  :=  x".  The 
information  contained  in  x  is  directly  copied  into  y,  so  information  flows  from  x  to  y. 
The  flow  from  x  to  y  is  independent  of  the  value  stored  in  x. 

Implicit  flow  occurs  when  information  is  indirectly  copied  or  transferred  from  one 
storage  object  to  another.  If  the  variable  x  contains  either  0  or  1,  then  the  following  code 


segment  will  copy  the  value  of  x  into  y  using  an  implicit  flow: 

y:=0;    if  (x  =  1)  then  y  :=  1 
In  this  case,  there  is  no  direct  flow  from  x  to  y.  However,  the  value  of  x  determines 
whether  the  then  statement  will  be  executed.  The  flow  in  both  of  these  examples  is 
allowed  only  if  the  security  classification  of  y  is  at  least  that  of  x.  For  instance,  if  x  were 
classified  high  then  y  must  also  be  classified  high  in  order  for  the  code  to  be  secure  [1]. 

B.  A  TYPE-BASED  TREATMENT  OF  SECURE  INFORMATION  FLOW 
Goguen  and  Meseguer  introduced  a  notion  of  security  for  deterministic  computer 

systems  called  noninterference  [2],  The  basic  idea  is  that  a  system  has  users  who  may 
supply  information  with  various  security  classifications  to  the  system.  A  system  satisfies 
the  noninterference  property  if  its  low-level  outputs  remain  the  same  when  its  high-level 
inputs  are  changed. 

Volpano  and  Smith  [3]  have  applied  this  idea  to  programming  languages.  When 
applied  to  languages,  the  idea  is  that  low-level  program  outputs  are  unaffected  by 
changes  in  high-level  program  inputs. 

C.  A  TYPE  INFERENCE  ALGORITHM 

Volpano  and  Smith  go  on  to  describe  an  algorithm  that  is  defined  by  cases  on  the 
phrases  of  a  simple  imperative  language.  The  evaluation  of  an  expression  returns  a 
principal  type  and  a  set  of  typing  constraints.  A  typing  constraint  is  an  inequality 
between  two  types  that  are  security  levels.  For  example,  if  x  is  type  high  and  t'  is  type 
low  then  x'  <  x  is  a  constraint.  Note  that  x'  =  x  is  equivalent  to  x'  <  x  and  x  <  x'.  It  is 

important  to  note  also  that  the  algorithm  produces  constraints  among  type  variables, 

where  a  type  variable  ranges  over  types  like  high  and  low.  Constraint-set  satisfiability 
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can  be  used  on  the  set  of  constraints  to  determine  whether  illegal  flows  exist  in  the 
program  being  analyzed,  for  instance,  if  a  constraint  set  contains  high  <  low. 

The  classifications,  or  types,  over  which  type  variables  range,  depend  on  the 
system  being  modeled.  In  a  typical  military  system,  the  types  would  be  unclassified, 
confidential,  secret,  and  top  secret.  For  the  purposes  of  this  discussion,  we  consider  a 
simple  system  of  only  two  types,  high  and  low,  where  low  <  high. 

As  an  example  of  how  the  algorithm  works,  consider  the  case  of  the  preceding 
assignment  statement,  y  :=  x.  Assuming  x  and  y  have  already  been  assigned  the  type 
variables  To  and  Tj  respectively,  the  following  set  of  constraints  will  be  generated  by  the 
type  inference  algorithm: 

{To<T2,  Tl  =  T2,  T3  <T2} 

Therefore,  the  principal  type  of  the  expression  is  13  cmd.  The  constraint  set  can  be 
simplified  to  {to  <  ti,  13  <  Ti }.  So,  for  the  assignment  statement  y  :=  x,  the  algorithm 

states  that  the  classification  of  y  must  be  at  least  as  high  as  the  classification  of  x.  The 

second  constraint  allows  downward  coercion  on  command  types  [7]. 

D.         AN  IMPLEMENTION  OF  THE  ALGORITHM 

This  thesis  presents  a  Java  program  that  implements  the  type  inference  algorithm. 

The  program  is  generated  from  a  specification  that  is  input  to  a  compiler  compiler  called 

JavaCC.  JavaCC  is  a  tool  that  reads  a  grammar  specification  written  in  a  LEX/  YACC- 

like  manner  and  converts  it  into  a  parser  for  the  grammar.  The  algorithm  was 

incorporated  into  a  grammar  specification  for  Java  1.0.2  supplied  with  the  JavaCC 

distribution.  The  actions  specified  by  the  algorithm  were  performed  by  adding  Java  code 
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(semantic  actions)  to  the  corresponding  productions  in  the  grammar  specification.  The 
generated  parser  is  a  secure  flow  analyzer  for  a  subset  of  Java.  Several  statements, 
expressions,  and  other  Java  functionality  were  removed  from  the  grammar  specification 
because  they  are  not  currently  supported  by  the  type  inference  algorithm 
E.         THESIS  ORGANIZATION 

Work  in  the  area  of  secure  information  flow  and  a  lattice  model  of  secure 
information  flow  are  discussed  in  Chapter  II,  followed  by  a  description  of  the  secure  flow 
type  system  in  Chapter  III.  The  type- inference  algorithm  is  discussed  in  Chapter  IV.  In 
Chapter  V,  the  static  analyzer  and  the  Java  subset  we  consider  are  discussed.  Chapter  VI 
gives  an  example  run  of  the  analyzer,  and  Chapter  VII  discusses  some  possible  future 
work  and  presents  conclusions  about  secure  flow  analysis  and  the  static  analyzer. 


II.  THE  LATTICE  MODEL  OF  SECURE  INFORMATION  FLOW 

The  security  mechanisms  of  most  computer  systems  do  not  attempt  to  detect  or 
prevent  insecure  information  flows.  Computer  system  security  requires  that  programs  at 
high  security  levels  be  unable  to  transfer  information  to  low  security  users  or  programs. 
Most  access  control  mechanisms  are  concerned  with  direct  access  control  and  are  not 
concerned  with  information  flow  channels  that  may  exist.  Other  systems  rely  on  the 
trustworthiness  of  processes  [5]. 

In  the  lattice  model  of  secure  flow,  a  flow  policy  is  represented  by  the  poset 
<S,  ->>  [5].  S  is  a  set  of  security  classes  and  -^  is  a  partial  order,  called  the  flow 
relation.  The  flow  relation  specifies  permissible  flows  between  the  security  classes. 
Every  variable  x  is  assigned  a  security  class,  denoted  x,  that  is  statically  bound  to  x  and 
that  can  be  determined  at  compile  time  from  declarations  given  in  the  program.  If  x  and 
y  are  variables  in  a  program  and  an  information  flow  from  x  to  y  exists,  then  the  flow  is 
allowed  if  x  ->  y  [6]. 

Each  programming  construct  has  a  certification  rule.  Some  rules,  such  as 
assignment  statements,  certify  explicit  flows  and  other  rules,  such  as  if  statements,  certify 
implicit  flows.  An  assignment  statement,  x  :=  y,  will  be  certified  if  x  ->  y.  The  rules  for 
conditional  constructs  such  as  the  following  if  statement  certify  implicit  flows. 

if  x  =  0  then  y  :=  0  eke  z  :=  1 
This  statement  is  certified  if  x  -^  y  and  x  ->  z. 

If  the  poset  <S,  ~^>  is  a  lattice,  then  there  is  a  unique  least  upper  bound  and 
greatest  lower  bound  for  any  pair  of  classes.  A  simple  grammar  consisting  of  synthesized 

attributes  can  be  given  to  certify  programs.  The  attributes  are  security  classes  computed 
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using  the  least  upper  bound,  lub,  and  greatest  lower  bound,  gib,  operations.  For  example, 
the  certification  requirement  for  the  above  if  statement  becomes  the  single  condition 
x-»glbfcz)[6]. 


III.  A  SECURE  FLOW  TYPE  SYSTEM 

Volpano,  Irvine,  and  Smith  describe  a  type  system  consisting  of  a  set  of  type 
inference  rules  and  axioms  for  deriving  typing  judgements.  The  types  of  the  system  are 
divided  into  three  levels.  One  level  contains  data  types,  which  we  refer  to  as  z  types. 
These  are  the  security  classes  of  Denning's  model  and  they  are  partially  ordered,  for 
example,  low  <  high. 

At  the  next  level,  are  the  n  types.  They  consist  of  the  data  types  t,  command 
types  z  cmd  and  the  procedure  types 

z  proc{z\,  i2  var,  T3  ace) 
A  variable  of  type  z  var  means  it  can  store  information  at  level  z.  A  command  has  type 
z  cmd  only  if  every  assignment  in  the  command  is  made  to  a  variable  whose  security 
level  is  z  or  higher.  Lastly,  the  z  in  the  above  procedure  type  refers  to  the  security  level 
of  its  body.  That  is,  a  call  to  a  procedure  of  this  type  would  have  type  z  cmd. 

At  the  third  and  final  level  are  the  p,  or  phrase,  types.  They  consist  of  are  the 
n  types,  type  t  var  and  type  z  ace  (we  ignore  type  z  ace).  So,  our  procedure  types,  in  this 
this,  are  of  the  form: 

zproc(z\  var,...,zn  var) 

The  partial  order  on  z  types  is  extended  to  a  subtype  relation  over  phrase  types. 
The  subtype  relation  is  anti-monotonic  in  the  types  of  the  commands,  meaning  if  z  is  a 
subtype  of  z',  then  t'  cmd  is  a  subtype  of  z  cmd.  The  intuition  here  is  that  if  one  can  read 
level  z'  (high)  information  then  they  can  read  level  z  (low)  information.  There  is  also  a 
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typical  type  subsumption  rule  that  states  if  a  phrase  has  type  p  then  it  can  be  assigned  a 

type  p'  if  p  is  a  subtype  of  p'  [7]. 

The  typing  rules  of  the  system  guarantee  secure  explicit  and  implicit  flow. 

Consider  the  typing  rule  for  assignment: 

7 1-  x  :  t  var 

y\-  e  :  z 


y\-  x  :=e  :  zcmd 
where  y  is  an  identifier  typing  that  maps  identifiers  to  p  types.  The  rule  states  that  the 
explicit  flow  from  expression  e  to  variable  x  is  secure  if  e  and  x  have  the  same  security 
level.  This  does  not  prevent  e  from  having  a  lower  security  level  than  x,  because 
subtyping  allows  the  level  to  be  coerced  upward. 

The  next  example  shows  a  rule  that  deals  with  a  situation  where  an  implicit  flow 
exists.  Consider  the  following  program  phrase  where  x  is  either  0  or  1 : 

if  x  =  1  then  y  :=  1  else  y  :=  0 

There  is  no  explicit  flow  from  x  to  y,  but  when  the  phrase  is  executed,  y  will  contain  the 

value  of  x.  To  guarantee  the  implicit  flow  from  x  to  y  is  secure,  the  following  typing  rule 

is  used: 

y  |-  e  :  t 

y  |-  c  :  z  cmd 

y\-  c' :  zcmd 


y\-ife  then  c  else  c' :  zcmd 
The  commands  c  and  c'  must  have  type  r  cmd,  because  information  of  type  r  is  implicitly 
known  by  evaluating  the  predicate  e.  Therefore  c  and  c'  can  only  make  assignments  to 
variables  at  security  level  t  or  higher.  The  rule  requires  e,  c,  and  c'  to  have  the  same 


security  level,  namely  t.  Nevertheless,  an  upward  implicit  flow  from  e  to  c  and  c'  can  be 
accommodated  by  subtyping. 

There  is  also  a  rule  for  local  variable  declarations.  A  local  variable  declaration  of 
the  form 

letvar  x  :=  e  in  c 
creates  a  variable  x  with  an  initial  value  e,  whose  scope  is  command  c.  The  initialization 
of  x  may  cause  an  implicit  flow,  but  it  is  always  harmless. 

Two  lemmas  are  needed  to  prove  type  soundness:  Simple  Security  and 
Confinement.  Simple  Security  applies  to  expressions  and  Confinement  applies  to 
commands.  If  an  expression  e  can  be  assigned  type  r,  then  Simple  Security  states  that 
only  variables  of  type  x  or  lower  will  be  read  when  e  is  evaluated  (no  read  up). 
Confinement  says  that  if  a  command  c  can  be  assigned  type  z  cmd,  then  every  variable 
that  is  updated  in  c  has  security  level  t  or  higher  (no  write  down).  These  two  lemmas  are 
used  to  prove  that  the  type  system  is  sound.  Soundness  is  formulated  as  a 
noninterference  property.  The  noninterference  property  states  that  variables  in  a  well- 
typed  program  do  not  interfere  with  variables  at  lower  security  levels. 

It  is  possible  to  automatically  check  whether  a  program  is  well  typed,  using  the 
techniques  of  type  inference.  The  basic  idea  of  type  inference  is  to  use  type  variables  to 
represent  unknown  types  in  a  program,  and  to  generate  constraints  in  the  form  of 
inequalities.  An  assignment  of  types  to  these  variables  must  satisfy  the  constraints  in 
order  for  the  program  to  be  well  typed  with  respect  to  that  assignment.  A  principal  type 
can  be  formulated  that  represents  all  possible  types  the  program  can  be  given. 
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IV.  A  SECURE  FLOW  TYPE  INFERENCE  ALGORITHM 

A  type  inference  algorithm  that  ensures  secure  information  flow  is  described  in 
this  chapter.  Volpano  and  Smith  have  extended  the  type  system  discussed  in  the  previous 
chapter  to  a  simple  language  with  first  order  procedures  [3].  They  also  prove  the 
noninterference  property  for  the  system  in  order  to  establish  the  type  soundness  in  the 
context  of  procedures.  Figure  1  shows  the  core  language  they  considered. 


expressions  ::= 

x  |  n  |  / 1 

et  +  e2  | 

proc(in  xj,  inout  x2,  out  X3)  c 

commands  ::= 

ci;  c2  | 

if  e  then  cj  else  c2  \ 

while  e  do  c  \ 

ei  :=e2\ 

letvar  x  :=  e  in  c  \ 

letproc  x  (in  */,  inout  x2,  out  X3)  c  in  c'  \ 

e(e],e2,e3) 

Figure  1 .  Core  Language 
For  expressions,  meta-variable  x  ranges  over  identifiers,  n  ranges  over  integer  literals, 
and  /  ranges  over  locations.  Expressions  also  consist  of  anonymous  procedure 
expressions.  Their  names  are  provided  via  letproc. 

Commands  consist  of  the  following:  composition  of  commands,  if,  while  loops, 
assignment,  variable  declarations,  procedure  declarations,  and  procedure  calls. 

Volpano  and  Smith  give  a  secure  flow  type  inference  algorithm  in  [3].  It  is  shown 
in  Figure  2  and  is  defined  by  cases  on  the  phrases  of  the  core  language.  The  algorithm 
takes  as  inputs  a  location  typing  A,  an  identifier  typing  7,  a  program  phrase  p,  and  a  set  of 
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rV(A,7,P,V)  =  ca»epof 

i  :  case  t(«)  of 

r({r<a),c,Vu{c,})      a^V 
?oar:  ({?<«},  a,  Vu{«})      or  g  V 
default  :  fail 

»:«},o:,Vu{cf})      o  *  V 

l:({A(0<a},a,VU{a})     <«^ 
ei  +  ej  : 

let(a,)n,,V")=^(A,7,ea,n 
in(CiUCaU{n=ft},T,,f") 

proc  (in  xi,  inout  xa,  oat  u)  c  : 

let  (C.rcmd.V")  -  W^A.tIx,  :  a,x3  :  P  oar,  x3  :*  ace],  c.VU  {«,/?,*}) 
in  (C,r  proc(a,  0  var,  6  ace),  V")      a,  0  and  *  g  V 

ex;  ca  :fct  (Ci,n  cmd,  V)  =  W{\,y,cltV) 
kt  (Ca.ft  ctmf,r")=  W(A,7,Ca,  V) 
in  (Ci  UCaU{f\  =  ft},ft  etndyV") 

if  e  then  c\  else  c3  : 

let(C,T,V")  =  ^(A.9,e,V) 

let  (d ,  n  cmd,  V*)  =  W(X,  7,  a ,  V) 

kt  (Ca.ft  cmd,  V")  m  W(A,7,  ca,  V*) 

in  (CUd  Ud  U{r  =  ft  =ft,a<  f^o  cmd,  V'wU{or})      or  j?V" 

while  edoc: 

fet(C,rlV')  =  ^(A,7,e,K) 

let  (C,  f*  cmd,  V")  -  W(X,  7,  c,  K*) 

in  (C  U  C  U  \t  =  f,  a  <r),  a  cmd,  V"U{a})      a  g.V" 

ei  vmi  e3  : 

let(C,r',V')  =  W(A17,e3,K) 
esse  c\  of 

x  :   if  t(x)  =  r  oar  or  t(x)  =  f  occ  then 

(C  U  {r  =  ?,«<?*},  a  cmd,  V'u{or})      o  tf  V 

I:     (C  U  {A(0  =  ?*,  o<r*},  or  cmd,  V^U  {or})      a^V 

default  :  fail 

let  var  i  :=  t  in  c  : 

let(C,f>n  =  ^(A.7,e,V0 

kt  (C,r  cmd,V")  m  W{\,t[z  :?  oarlcV) 

in  (CuC.f  cmd,V") 

Ictproc  x(in  xi,  Inout  x3,  out  xs)  c  in  c'  : 

kt  (C,w, V")  =  W(A,7,proe  (in  xi,  Inout  xa,  ont  x»)  c,V) 

let  (C,rcmd,Vn)  =  W{\,y,\proc  (in  x,,  inout  x3,  out  xs)  c/xk',  V) 

infCuC.rcmd.K") 

e(ei>«a,es}: 

kt  (C,t prcefn,  ft  oar,  ft  a«),  V)  =  W(\,y,e,V) 
kt(C,r',V)  =  rr'(A,7.ei.K') 
kt  C  =  ewe  e3  of 

x:   if  7X*)*^'twtkenCuC"u{?  =  n,r"=:ra}  eke  fail 

I:    CuCu{f,  =  Tl,X(l)  =  ri) 

default  r  fail 
in  case  «3  of 

x  :   if  y(x)  ■»**««  «  7(x)  =  r"  ace  then  (Cu  {?"  -  ft}, f  cmd,  V") 
eke  fail 

I  :  (C"  U  (A(J)  n  ft},?  cmd,  V) 

default  :fail 

Figure  2.  Volpano-Smith  Type  Inference  Algorithm 
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type  variables  V.  A  location  typing  maps  addresses  to  x  types  and  an  identifier  typing 
maps  variables  to  types  x  and  x  var,  for  some  x.  The  latter  treats  free  variables  in  a 
program,  while  the  former  treats  free  addresses.  We  shall  assume  programs  have  no  free 
addresses,  and  drop  X  from  the  implementation  of  the  type  inference  algorithm.  The  set  V 
contains  a  list  of  previously-used  type  variables  and  allows  the  algorithm  to  choose  new 
type  variables.  If  the  algorithm  succeeds,  it  returns  a  triple  consisting  of  a  set  of 
constraints  C,  a  type  n,  and  the  updated  set  of  stale  variables  V.  The  constraints  in  C  are 
inequalities  among  type  variables. 

To  illustrate  how  the  algorithm  works,  we  give  an  example  from  [3],  shown  in 
Figure  3,  of  a  procedure  that  indirectly  copies  a  variable  x  to  another  variable  y. 


proc  (in  x,  out  y) 

letvar  a  := 

x  in 

letvar  b  := 

:0in 

while  z 

i>0do 

b:= 

b+1; 

a  := 

a-1; 

y:=b 

Figure  3.  Example  Program 
Figure  4  shows  the  results  of  calling  the  algorithm  on  the  procedure.  The  algorithm  yields 
a  triple  consisting  of  a  set  of  stale  type  variables  V,  the  list  of  generated  constraints  and 
the  type  of  the  procedure,  here  denoted  by  n  .  This  triple  is  used  to  form  the  principal 
type  for  the  procedure. 

Type  simplification  can  be  used  to  simplify  the  constraint  set  C  and  type  n  [8]. 
The  static  analyzer  developed  for  this  thesis  does  not  include  any  mechanism  to  perform 
type  simplification  and  such  simplification  is  shown  here  for  demonstration  purposes 
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v  = 

{ a.  y,  v,  o,  e,  i,  £  v,  8,  rj,  9,  k,  X,  p,  £} 

c  = 

{cc<y  v  =  o,  s=i,  v<£,£=£y<£,  i  =  v,  8  =  rj,  i  <8, 

rj  =  0,  8<  rj,y  =  k,  u<y,  k=  A,  y<K  fi  =  <£  o<p,  S<  £} 

7T  = 

(v  proc(or,  Pace)) 

Figure  4.  Algorithm  Results  of  Sample  Program 

only.  The  first  step  collapses  the  strongly  connected  types  and  produces  a  more  useful 

form,  as  shown  in  Figure  5. 


V  = 

c  = 

K  = 


{a,  o,  8,  £} 

{8<$,o<X,X<8,  a<X\ 
(o  proc(a,  2,  ace)) 


Figure  5.  Algorithm  Results  after  Type  Simplification 
Further  simplification  is  possible  leading  to  the  %  in  Figure  6. 


7t  =  (£proc(£  £  ace)) 


Figure  6.  Principal  Type  after  Applying  Monotonicity-Based  Instantiations 
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V.  IMPLEMENTATION  OF  THE  TYPE  INFERENCE  ALGORITHM 

The  static  analyzer  that  performs  the  security  checks  specified  by  the  type 
inference  algorithm  was  developed  using  the  Java  Compiler  Compiler  (JavaCC).  JavaCC 
takes,  as  input,  a  grammar  specification.  The  output  is  a  Java  program  that  will  parse  the 
specified  language  and  perform  the  semantic  actions  indicated  in  the  grammar 
specification. 

Rather  than  start  from  scratch  and  build  a  JavaCC  specification  for  the  language 
in  Figure  1,  we  started  with  a  grammar  specification  for  Java  1.0.2,  which  we  modified  to 
reflect  the  language  in  Figure  1 .  Semantic  actions  were  added  to  encode  the  type 
inference  algorithm.  The  specification  is  given  in  Appendix  A.  There  are  several 
restrictions  imposed  on  the  kinds  of  Java  programs  that  the  static  analyzer  can  check 
because  there  are  many  constructs  in  the  Java  language  that  are  not  currently  treated  in 
the  type  inference  algorithm.  Each  of  the  phrases  in  Figure  1  was  mapped  to  a 
corresponding  expression  or  statement  in  the  Java  grammar  specification. 
A.         A  BRIEF  LOOK  AT  JAVACC 

JavaCC  constructs  a  Java  program  that  acts  as  a  recursive  descent  parser  for  the 
language  described  by  the  grammar  specification.  A  sample  from  the  Java  1.0.2  grammar 
specification  is  shown  in  Figure  7.  The  sample  shows  three  productions  that  are  used  to 
parse  a  Java  method  declaration  and  parameters.  JavaCC  converts  each  production  into  a 
method  in  the  generated  parser. 
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voxd  MethodDeclarator ( )  : 

U 
{ 

<IDENTIFIER>  FormalParameters ( )  (  "["  "]"  )* 
} 

void  FormalParameters ( )  : 

{} 

l 

"("  [  FormalParameter ()  (  ","  FormalParameter ( )  )*  ]  ")" 
} 

void  FormalParameter ( )  : 

{} 
{ 

Type()  VariableDeclaratorId( ) 
} 

Figure  7.  Sample  Productions 

Each  production  begins  with  the  return  type  of  the  corresponding  method  in  the 
parser,  which  is  void  for  the  three  productions  in  Figure  7.  The  name  of  the  production 
will  also  be  the  name  of  the  method  in  the  parser.  Parameter  passing  can  be  adding  to  the 
productions  in  the  same  way  it  is  used  in  Java  programs. 

There  is  a  notion  of  "calling"  a  production  because  of  its  relationship  with  the 
corresponding  method  in  the  generated  parser.  For  example,  if  the  production 
FormalParameter  ( )  in  Figure  7  is  called,  it  will  in  turn  call  the  productions 
Type ( )  and  VariableDeclaratorld ( )  . 

Java  code  can  be  added  anywhere  in  the  production,  but  must  be  enclosed  in  curly 
braces,  "{  }".  When  JavaCC  converts  the  production  into  its  corresponding  method,  the 
added  code  will  remain  where  it  was  placed.  Local  variable  declarations  for  any 
production  should  be  inserted  in  the  first  set  of  curly  braces  of  that  production.  In  the 
three  productions  shown  in  Figure  7,  there  are  no  local  variable  declarations. 
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B.  IMPLEMENTING  THE  ALGORITHM  USING  JAVACC 

There  are  two  main  data  structures  in  the  implementation  of  the  algorithm.  The 
first  is  called  gamma,  and  contains  identifier  typings.  The  second  is  called  triple,  and 
consists  of  the  items  returned  by  the  type  inference  algorithm,  namely,  a  set  of  constraints 

C,  a  type  n,  and  a  list  of  stale  type  variables  V. 

The  initial  attempt  to  implement  the  algorithm  used  two  Stacks  from  the  Java 
utility  package.  The  gamma  stack  held  objects  called  gamma  items.  A  gamma  item 
consisted  of  a  variable  name  and  its  type  variable.  The  triple  stack  contained  the  triple 
items  consisting  of  the  constraint  set  in  the  form  of  a  linked  list  and  the  principal  type. 
The  set  of  stale  type  variables  was  kept  in  a  separate  symbol  generator  for  the  entire 
program. 

The  idea  of  the  gamma  stack  was  to  push  a  gamma  item  whenever  a  new  variable 
was  encountered  and  to  pop  the  stack  when  the  variable's  scope  ended.  It  became 
apparent  that  determining  when  the  variable's  scope  ended  was  going  to  be  a  difficult  task 
unless  the  analyzer  kept  track  of  more  information  about  the  variables  being  declared. 
The  analyzer  soon  had  four  separate  stacks  to  keep  track  of  the  important  information. 
The  triple  stack  had  similar  problems. 

It  was  determined  that  all  of  the  external  stacks  could  be  eliminated  if  the  run  time 
stack  was  utilized.  In  this  implementation,  gamma  became  a  linked  list  of  gamma  items 
that  is  passed  as  a  parameter  from  one  production  to  those  productions  it  calls.  In 
addition,  each  production  returns  a  triple  that  contains  all  the  constraints  generated  in  the 
program.  This  did  pose  one  problem.  A  local  variable  declaration  requires  an  update  to 
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the  gamma  list  with  the  variable's  type  information  and  it  also  requires  the  generation  of  a 
new  triple  item.  Both  must  be  returned  to  the  calling  production. 

This  problem  may  be  overcome  by  adding  new  productions  to  the  specification 
but  the  productions  were  not  added  in  this  implementation.  Instead,  a  new  data  structure 
was  developed  to  simply  hold  the  new  gamma  list  and  the  generated  triple  so  that  both 
the  gamma  list  and  the  generated  triple  could  be  returned.  The  structure,  called  Dual,  was 
later  updated  to  also  hold  a  string  when  a  similar  situation  arose  in  the  method  declaration 
production  that  required  a  gamma  list  and  the  string  representation  of  a  token  to  be 
returned. 

Each  of  the  commands  and  expressions  of  the  core  language  listed  in  Figure  1  are 
"mapped"  to  one  or  more  productions  in  the  Java  1.0.2  grammar  specification.  Mapping 
the  algorithm  to  the  Java  specification  was  performed  in  two  steps.  The  first  step  was  to 
determine  which  productions  in  the  grammar  specification  correspond  to  commands  or 
expressions  in  the  core  language.  Once  the  relationship  between  the  core  language  and 
grammar  specification  was  established,  the  second  step  entailed  encoding  the  semantic 
actions  specified  by  the  algorithm  and  placing  the  code  in  the  corresponding  productions 
of  the  grammar  specification.  We  consider,  in  turn,  each  of  the  cases  of  the  algorithm  in 
Figure  2. 

Case  "x" 

The  Name  ( )  production  in  the  grammar  file  is  an  instance  of  case  x.  Name  ( ) 
returns  a  string  representation  of  the  current  token  when  the  production  is  called.  The 
type  inference  algorithm  requires  the  type  of  x,  x  or  r  var,  to  be  determined.  The  type 
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resolution  of  the  token  that  corresponds  to  x  is  performed  within  the  production  that  calls 
Name ( ) . 

Case  "n" 

The  Literal  ( )  production  is  an  instance  of  case  n.  Literal  ()  accepts  the 
Java  primitive  types  of  integers,  floating  point  numbers,  characters,  strings,  boolean 
values  "true"  and  "false",  and  "null". 

Case  "1" 

The  third  case  statement,  /.  deals  with  locations  and  is  not  implemented  in  the 
Java  grammar. 

Case  "ei  +  e2" 

The  expressions  below  are  all  instances  of  case  ei  +  e2; 

ConditionalOrExpression ( ) 
ConditionalAndExpression ( ) 
InclusiveOrExpression ( ) 
ExclusiveOrExpression ( ) 
AndExpression ( ) 
EqualityExpression ( ) 
RelationExpression ( ) 
Shif tExpression ( ) 
AdditiveExpression ( ) 
MultiplicativeExpression ( ) 

Case  "proc(in  xi,  inout  x2,  out  x3)  c" 

The  case  in  the  algorithm  for  procedure  declarations  has  the  following  form: 

proc(  in  Xi,  inout  x2,  out  X3)  c 
The  modes  of  the  parameters,  in;  inout;  and  out,  are  similar  to  those  used  in  the  Ada 
programming  language.  The  productions  dealing  with  procedures  starts  with  the 
MethodDeclaration  ( )  production.  The  name  of  the  procedure  and  the  parameters 
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are  treated  in  a  call  to  the  MethodDeclarator  ( )  production.  The  parameters  are 
added  to  the  environment  with  a  call  to  the  Forma lParameters  ( )  production  so  they 
may  be  referenced  in  the  body  of  the  procedure.  MethodDeclarator  ( )  returns  the 
procedure  name  and  the  types  of  the  parameters.  All  parameters  are  considered  to  be 
inout  mode  and  are  typed  as  such,  meaning  they  have  type  x  var  for  some  x.  Finally  the 
body  of  the  procedure,  c,  is  handled  in  a  call  to  the  Block  ( )  production.  The  static 
analyzer  does  not  handle  recursive  procedures  or  method  declarations. 

Case  "ci;  C2" 

Next  in  the  algorithm  is  the  statement  for  composition,  Ci;  C2.  Composition  within 
a  block,  delimited  by  {  } ,  is  handled  by  the  BlockStatementList  ( )  production. 
The  original  Java  grammar  specification  handled  composition  in  the  Block  ( ) 
production.  It  was  necessary  to  add  the  production  BlockStatementList  ( )  to 
handle  the  letvar  statement.  Changes  to  the  grammar  specification  for  the  letvar 
statement  are  explained  later  in  this  section. 

Case  "if  e  then  ci  else  C2" 

If-then-else  statements  are  handled  by  the  If  Statement  ( )  production  in  the 
grammar  specification.  The  else  portion  of  the  statement  is  not  mandatory  in  Java.  If  it 
is  not  used,  then  the  semantic  actions  in  the  algorithm  pertaining  to  the  else  statement  are 
not  executed. 

Case  "while  e  do  c" 

The  next  case  is  the  while  loop  of  the  form,  while  e  do  c.  It  has  been  mapped  to 

both  the  WhileStatement  ( )  and  DoStatement  ( )  productions  in  the  Java 

specification. 
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Case  "x  :=  e" 

The  assignment  statement  x  :=  e  is  mapped  to  Assignment  ( ) .  Note  that " :  =" 
is  not  the  only  assignment  operator  allowed;  others  include:  "*=",  "/=",  "+=",  and  "-=". 
A  modification  to  the  grammar  specification  was  required  here.  The  Java  1.0.2  grammar 
specification  Assignment  ( )  production  is  listed  in  Figure  8.  The  production, 
PrimaryExpression  ( ) ,  may  be  evaluated  as  a  literal  ( ) ,  Name  ( ) , 
Expression (),  or  AllocationExpression () .   PrimaryExpression ( )  is 
also  called  from  a  number  of  other  productions  as  well  and  those  productions  require  that 
PrimaryExpression  ( )  return  a  triple  consisting  of  a  constraint  set,  a  type,  and  a  list 
of  stale  type  variables.  However,  the  Assignment  ( )  production  requires  that 
PrimaryExpression  ( )  return  the  type  of  x  from  the  identifier  typing  y.  For  this 
reason,  a  new  production,  PrimaryLef  tExpression  ( ) ,  was  introduced  into  the 
Grammar  specification.  It  returns  the  string  representation  of  x,  so  that  it  may  be 
referenced  in  y,  and  replaces  PrimaryExpression  ( )  in  the  Assignment  ( ) 
production. 


void  Assignment  ()  : 

{} 

{ 

PrimaryExpression ( ) AssignmentOperator ( ) Expression 

} 


Figure  8.  Assignment  Production 
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Case  "letvar  x  :=  e  in  c" 


Mapping  the  letvar  statement  to  the  Java  language  required  another  modification 
to  the  Java  grammar  specification.  The  original  specification  handled  local  variable 
declarations  at  the  same  level  as  all  other  statements  within  BlockStatement  ( ) .  The 
original  Java  specification  productions  that  handle  local  variable  declarations  are  shown 
in  Figure  9. 


void  Block ( )  : 

{} 

{ 

"{"  (  BlockStatement ()  )*  "}" 


void  BlockStatement 


LOOKAHEAD(Type()  <IDENTIFIER>) 
LocalVariableDeclaration ( )  " ; " 


Statement ( ) 


void  LocalVariableDeclaration 


Type ( )  VariableDeclarator ( )  (  ","  VariableDeclarator 


} 


Figure  9.  Java  Specification  Productions  to  Handle  Local  Variable  Declarations 
In  the  original  grammar  specification,  composition  is  handled  in  the  Block  ( ) 
production.  The  *  operator  indicates  that  the  production(s)  within  the  preceding  set  of 
parentheses  is  called  zero  or  more  times.  Two  new  productions, 

BlockStatementList  ( )  and  LetvarStatement  ( ) ,  were  added  to  the  grammar 
specification  because  it  is  necessary  to  pass  the  identifier  typing  y,  updated  with  a  typing 
for  x,  to  the  production  that  parses  c  in  letvar  x  =  e  in  c.  The  original  Java  1 .0.2  grammar 
specification  had  no  productions  specified  for  c,  so  BlockStatementList  ( )  was 
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introduced  to  handle  this  problem.  In  the  modified  grammar  specification,  Block  ( ) 
calls  BlockStatementList  ( )  once  per  BlockStatement  ( )  . 
BlockStatementList  ( ) , the  production  used  to  handle  composition,  calls 
BlockStatement  ( )  zero  or  more  times.  BlockStatement  ( )  calls 
LetvarStatement  ( )  if  a  local  variable  declaration  is  found,  otherwise. 
Statement  ()  is  called.  LetvarStatement  ( )  first  calls 
LocalVariableDeclaration  ( )  to  handle  the  declaration,  then 
BlockStatementList  ( )  to  parse  the  rest  of  the  program  that  is  within  the  scope  the 
new  variable.  The  section  of  the  modified  grammar  file  is  listed  in  Figure  10. 

Case  "letproc  x(in  Xi,  inout  X2,  out  X3)c  in  c'  " 

The  next  case  in  the  type  inference  algorithm,  letproc,  allows  procedures  to  be 
used  polymorphically  and  was  not  implemented  in  the  Java  grammar  specification. 
Therefore,  all  procedures  are  treated  as  monomorphic  in  the  analyzer  specification. 
Moreover,  only  static  methods  are  allowed  because  that  is  the  only  kind  of  method  the 
algorithm  treats. 

Case  "e(ei,  e2,  e3)" 

The  final  case  in  the  algorithm  types  procedure  calls.  The  Java  specification 
handles  procedure  calls  in  the  PrimaryPref  ix  ( )  production.  First,  the 
name  of  the  procedure  is  found  in  the  identifier  typing  ,  y,  then  the  types  of  the  arguments 
are  compared  with  those  retrieved  from  y.  The  original  grammar  specification  for  Java 
allowed  arguments  to  be  expressions.  In  the  modified  specification,  all  parameters  must 
be  either  a  literal  or  a  previously  declared  and  initialized  variable  name. 
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void  Block 


Bio ckStatement List 


void  BlockStatementList 


L00KAHEAD(2)  BlockStatement ( )  )+ 


void  BlockStatement 


LOOKAHEAD(  Type ( )  <IDENTIFIER> 
LetvarStatement ( ) 

Statement ( ) 


void  LetvarStatement  (  )  : 


LocalVariableDeclaration ( )  " ;  "  BlockStatementList ( 


void  LocalVariableDeclaration ( )  : 

{} 

{ 

Type()  VariableDeclarator ( )  (  ","  VariableDeclarator 

1 


Figure  10.  Specification  Changes  for  letvar  Statement 

All  of  the  source  code  files  used  to  implement  the  static  analyzer  are  given  in 
Appendix  B. 

C.         RESTRICTIONS  IMPOSED  ON  PROGRAMS 

The  type  inference  algorithm  in  [3]  does  not  treat  an  object-oriented  language  like 
Java.  Although  we  started  with  a  JavaCC  specification  for  Java,  the  result  was  not  an 
analyzer  for  full  Java  but  rather  an  analyzer  for  that  subset  of  Java  corresponding  to  the 
simple  language  in  Figure  1 .  So  how  big  is  this  subset? 
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First,  the  subset  that  can  be  analyzed  has  no  objects,  and  consequently  no  instance 
variables  or  instance  methods. 

Second,  all  expressions  must  be  free  of  any  side  effects.  This  is  the  reason  that 
assignment  expressions  in  Java  are  prohibited,  as  are  pre  and  post  increment 
"expressions".  They  all  violate  the  confinement  property. 

Other  restrictions  on  Java  programs  include  that  they  be  closed  (no  free 
variables),  that  they  have  only  non-recursive  static  methods,  that  they  have  no  methods 
with  a  return  type  other  than  void,  and  that  they  have  no  forward  references.  Yet,  other 
restrictions  are  imposed  because  certain  constructs  were  not  treated  in  the  algorithm  of 
[3].  They  include  try-catch  blocks,  synchronized  blocks  and  so  on.  In  summary,  the 
following  features  of  Java  are  not  analyzed: 

1 .  Static  Initializes 

2.  Arrays 

3.  Explicit  Constructor  Invocation 

4.  Conditional  Expressions 

5.  Instanceof  Expressions 

6.  Preincrement  and  PreDecrement  Expressions 

7.  Postincrement  and  PostDecrement  Expressions 

8.  Cast  Expressions 

9.  Allocation  Expressions  -  (object  creation) 

10.  Labeled  Statements 

1 1 .  Switch  Statements 

12.  For  Statements 

13.  Break  Statements 

14.  Continue  Statements 

15.  Return  Statements 

1 6.  Throw  Statements 

1 7.  Synchronized  Statements 

18.  Try  Statements 

19.  Catch  Statements 

20.  Finally  Statements 
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The  constructs  that  have  been  disallowed  have  only  been  commented  out  in  the 
grammar  specification  file  listed  in  Appendix  A  in  order  to  allow  for  their 
implementation  in  the  future.  This  means  they  cannot  be  parsed  in  the  current 
implementation. 
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VI.  AN  EXAMPLE  RUN  OF  THE  STATIC  ANALYZER 

The  program  in  Figure  1 1  illustrates  an  application  of  the  static  analyzer.  It 
corresponds  to  the  example  program  of  Figure  3,  in  Chapter  III,  written  in  Java. 
However,  it  is  not  identical,  for  Java  has  no  parameter-passing  mode  corresponding  to 
mode  out.  Nevertheless,  it  serves  to  illustrate  the  analyzer.  The  results  of  the  static 
analyzer  when  run  on  this  program  are  shown  in  Figure  12. 


class    test 

{ 

public    static   void  p(int    x, 

int    y) 

{ 

int    a    =    x; 

int    b    =    0; 

while    (a    >    0)  { 

b  =  b  +   1; 

a    =   a    -    1 ; 

} 

y   =   b; 

} 

} 

Figure  1 1 .  Static  Analyzer  Test  Program 


v  = 

{to,  Ti,  12,  T3,  t4,  X5,  X6,  X7,  X8,  T9,  X10,  Tn,  T12,  T13,  T14} 

c  = 

{Th  =  T12,  Xl2<t4,  X8  =U,  X5  =  X4,  X2  <  I4,  Tn  =  Tg,  18  <  ^6,  T6  =  T3,  X7  =  T6, 

13  <  T6.  Ill  <  X9,T9  =  T2,Tl0  =  X9,  ^2  <  T9,  Tl4  <  Tl3,  Tl  =  TB,  T3  <  Xl3,  X0  <  T2} 

7t  = 

X12  proc(Tovar,  Xivar) 

Figure  12.  Test  Program  Results 

We  sketch  a  trace  of  the  analyzer  on  part  of  the  program.  The  parameters,  x  and 
y ,  are  the  first  tokens  to  be  analyzed.  They  are  assigned  the  type  variables  xo  and  Xi 
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respectively.  Then  the  variable  declaration: 

int    a   =   x 
is  analyzed.  A  new  type  variable  for  x,  namely  T2,  is  created  and  the  constraint  set 
{to  <  T2}  is  generated.  The  constraint  is  generated  by  the  case  for  identifiers  where  an 

upward  coercion  is  introduced  (see  Figure  2).  The  variable  a  is  assigned  the  type 
variable  T2  in  analyzing  the  rest  of  the  program. 
Next,  the  variable  declaration: 

int    b   -    0 
is  analyzed  in  the  same  manner,  except  that  no  constraint  is  generated  since  0  is  an 
integer.  This  is  the  integer  literal  case  of  the  type  inference  algorithm.  Finally,  b  is 
assigned  the  type  variable  T3.  At  this  point,  gamma  contains  the  following  types: 

{x  :  i0,y  :  Ti,a  :  i2,  b  :  t3} 
and  only  one  constraint,  to  <  T2,  exists. 

Next,  the  while  loop 

while (a    >    0) 
is  analyzed.  The  predicate,  a   >   0,  is  checked  first  and  generates  the  following  new 
constraints: 

T2  <  T4,  14  =  T5 

The  first  comes  from  the  identifier  case  of  the  algorithm  (upward  coercion  of  a's  type) 
and  the  second  comes  from  x,  =  x2  in  the  case  for  ei  +  ei  in  the  algorithm  of  Figure  2, 
where  X,  =  x4  and  x2  =  xs  The  rest  of  the  program  is  analyzed  in  the  same  manner. 
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VII.  CONCLUSIONS 

As  we  rely  more  on  computer  systems,  secure  flow  analysis  is  a  necessary  tool  to 
protect  the  information  stored  on  these  systems.  Denning's  work  [1]  [5]  provides  a  good 
base  of  knowledge  for  secure  information  flow.  The  Lattice  Model  consists  of  a  set  of 
storage  objects,  a  set  of  processes,  and  a  set  of  security  classes.  Each  storage  object  is 
bound  statically  or  dynamically  to  a  security  class.  Security  classes  are  required  to  form 
a  lattice,  hence  the  name.  A  flow  relation  indicates  permitted  information  flows  between 
security  classes.  The  lattice  shows  all  allowed  information  flows  within  the  system. 

Volpano  and  Smith  [3]  treat  the  model  in  the  context  of  a  type  system  and  prove 
the  soundness  of  the  type  system.  They  also  give  a  type  inference  algorithm  for  the 
system.  This  thesis  describes  an  implementation  of  that  algorithm  using  JavaCC.  The 
result  is  a  static  analyzer  that  checks  for  secure  information  flow  at  compile-time. 

The  static  analyzer  can  only  analyze  a  subset  of  the  Java  1 .0.2  language.  It  may 
be  too  limited  to  allow  one  to  write  interesting  and  useful  programs.  Future  work  might 
focus  on  analyzing  a  larger  subset  of  Java. 
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APPENDIX  A  -  JAVA  GRAMMAR  SPECIFICATION 

The  following  pages  represent  the  modified  Java  1.0.2  grammar  specification  that 
is  the  input  to  the  Java  Compiler  Compiler  The  original  grammar  file  was  developed  by 
Sriram  Sankar  on  6/1 1/96  and  is  copyrighted  by  Sun  Microsystems  Inc    Semantic  actions 
were  added  to  the  original  grammar  to  perform  secure  flow  analysis  on  a  subset  of  Java 
1.0.2  programs 
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*  Copyright  (C)  1996,  1997  Sun  Microsystems  Inc.* 
* 

*  Use  of  this  file  and  the  system  it  is  part  of  is  constrained  by  the 

*  file  COPYRIGHT  in  the  root  directory  of  this  system.  You  may, 

*  however,  make  any  modifications  you  wish  to  this  file. 
* 

*  Java  files  generated  by  running  JavaCC  on  this  file  (or  modified 

*  versions  of  this  file)  may  be  used  in  exactly  the  same  manner  as 

*  Java  files  generated  from  any  grammar  developed  by  you. 

* 

*  Author:  Sriram  Sankar 

*  Date:  6/11/96 

*  This  file  contains  a  Java  grammar  and  actions  that  implement  a 

*  front-end. 
* 

*  Modified  24  Feb  98  by  LT  James  D.  Harvey,  USN. 
* 

*  Modifications  have  been  made  to  incorporate  a  type  checker  into  the 

*  compiler.  Several  portions  of  the  Java  language  have  been  disabled 

*  in  this  version  because  the  type  checker  does  not  support  them.  The 

*  portions  that  are  not  implemented  are  as    follows: 


*  Static  Initializers 

*  Arrays 

*  Explicit  Constructor  Invocation 

*  Conditional  Expressions 

*  Instanceof  Expressions 

*  Preincrement  and  PreDecrement  expressions 

*  Cast  Expressions 

*  Allocation  Expressions 

*  Labeled  Statements 

*  Switch  Statements 

*  For  Statements 

*  Break  Statements 

*  Continue  Statements 

*  Return  Statements 

*  Throw  Statement 
Synchronized  Statement 
Try  Statement 


* 


* 
* 

*/ 


#  Permission  to  reproduce  has  been  obtained  from  Sriram  Sankar  of  Sun  Microsystems. 
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options  { 

LOOKAHEAD  =  1; 

JAVA  UNICODE  ESCAPE  =  true; 


PARSER_BEGIN ( JavaParser ) 

import  thesis.*; 

public  class  JavaParser  { 

static  SymbolGeneratcr  sg  =  new  SymbolGenerator ( ) ; 

public  static  void  main (String  args[])  { 

JavaParser  parser; 

Triple  ConstraintSet; 

Gamma  gamma  =  new  Gamma ( "my Gamma" ) ; 

if  (args. length  ==  0)  { 

System. out .println ( "Java  Parser  Version  1.0.2:   Reading  from 

standard  input  .  .  ."); 
parser  =  new  JavaParser (System. in) ; 
}  else  if  (args. length  ==  1)  { 

System. out . println ( "Java  Parser  Version  1.0.2:   Reading  from  file 

"  +  args[0]  +  "  .  .  .") ; 
try  { 

parser  =  new  JavaParser (new  Java . io . FileInputStream(args [ 0] )  )  ; 
}  catch  ( Java . io . FileNotFoundException  e)  { 

System. out .println ( "Java  Parser  Version  1.0.2:   File  "  + 

args[0]  +  "  not  found."); 
return; 

} 
}  else  { 

System. out .println ( "Java  Parser  Version  1.0.2:   Usage  is  one 

of:") ; 

System. out .println ( "  Java  JavaParser  <  inputf ile" ) ; 

System. out .println ("OR") ; 

System. out .println ( "  Java  JavaParser  inputfile"); 

return; 
} 
try  { 

ConstraintSet  =  parser . CompilationUnit (gamma) ; 

System. out .println ( "Java  Parser  Version  1.0.2:   Java  program 

parsed  successfully."); 
]  catch  (ParseError  e)  { 

System. out . println ( "Java  Parser  Version  1.0.2:   Encountered 

errors  during  parse.")  ,- 

1 

i 

; 
} 

PARSER  END (JavaParser ) 
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SKIP  :  /*  WHITE  SPACE  */ 


I  "\t" 

I  "\n" 

I  "\r" 

I  "\f" 


SPECIAL_TOKEN  :  /*  COMMENTS  V 
{ 

<SINGLE_LINE_COMMENT:  "//"  ( ~  [  "\n", "\r " ]  ) *  (  "\n" | "\r" | "\r\n") > 
I  <FORMAL_COMMENT:  "/**"  (~["  +  "])i  "'* '"  ("*"  I   (-["*","/"]   ( -  [  " +  "  ]  )  * 

I  <MULTI_LINE_COMMENT:  "/*"  (-["*"])*  "*"  ("*"  !   (~ ["*","/"]   (-["*"])* 
"*") )*  "/"> 


TOKEN  :  /*  RESERVED  WORDS  AND  LITERALS  */ 
{ 

<  ABSTRACT:  "abstract"  > 

<  BOOLEAN:  "boolean"  > 

<  BREAK:  "break"  > 

<  BYTE:  "byte"  > 

<  CASE:  "case"  > 

<  CATCH:  "catch"  > 

<  CHAR:  "char"  > 

<  CLASS:  "class"  > 

<  CONST:  "const"  > 

<  CONTINUE:  "continue"  > 

<  _DEFAULT:  "default"  > 

<  DO:  "do"  > 

<  DOUBLE:  "double"  > 


<  EXTENDS:  "extends"  > 

<  FALSE:  "false"  > 

<  FINAL:  "final"  > 

<  FINALLY:  "finally"  > 

<  FLOAT:  "float"  > 

<  FOR:  "for"  > 

<  GOTO:  "goto"  > 

<  IF:  "if"  > 

<  IMPLEMENTS:  "implements"  > 

<  IMPORT:  "import"  > 

<  INSTANCEOF:  "instanceof"  > 

<  INT:  "int"  > 

<  INTERFACE:  "interface"  > 

<  LONG:  "long"  > 

<  NATIVE:  "native"  > 

<  NEW:  "new"  > 

<  NULL:  "null"  > 

<  PACKAGE:  "package "> 

<  PRIVATE:  "private"  > 

<  PROTECTED:  "protected"  > 

<  PUBLIC:  "public"  > 

<  RETURN:  "return"  > 
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<  SHORT:  "shore"  > 

<  STATIC:  "static"  > 

<  SUPER:  "super"  > 

<  SWITCH:  "switch"  > 

<  SYNCHRONIZED:  "synchronized"  > 

<  THIS:  "this"  > 

<  THROW:  "throw"  > 

<  THROWS:  "throws"  > 

<  TRANSIENT:  "transient"  > 

<  TRUE:  "true"  > 

<  TRY:  "try"  > 

<  VOID:  "void"  > 

<  VOLATILE:  "volatile"  > 

<  WHILE:  "while"  > 


TOKEN  :  /+  LITERALS  */ 
{ 

<  INTEGER_LITERAL: 

<DECIMAL_LITERAL>  ( ["1", "L"] ) ? 
I  <HEX_LITERAL>  (["1","L"])? 

I      sUtirtii     ijiitiKAjj/      1  [      -L      ,      J_i     j   i    : 
> 
i 

<  #DECIMAL  LITERAL:  [" i"-"9" ]  (["0"-"9"])*  > 
I 

<  #HEX_LITERAL:  "0"  ["x","X"]   ( [ "0"- "9" , "a"-"f " , "A"-"F" ] ) +  > 
I 

<  #OCTAL  LITERAL:  "0"  (  [  "0"-"7"]  ) *  > 
I 

<  FLOATING_POINT_LITERAL: 

( [ " 0 " - " 9 " ] ) +  "."  ( ["0"-"9"] ) *  (<EXPONENT>) ? 
( ["f", "F", "d", "D"] ) ? 

I  "."  (["0"-"9"])+  (<EXPONENT>) ?  ( [ "f ", "F" , "d", "D" ] ) ? 
I   (  ["0"-"9"]  )+  <EXPONENT>  (  [ "f " , "F" , "d"  ,  "D" ]  ) ? 
|   ( ["0"-"9"]  )+  (<EXPONENT>) ?  [  "f " ,  "F" , "d",  "D" ] 
> 
I 

<  ^EXPONENT:  ["e","E"]   (["+","-"])?  (["0"-"9"])+  > 
I 

<  CHARACTER_LITERAL: 

ii  i  it 

(    (-[ ,"\\","\n","\r"]  ) 

I   ("\\" 

/         rnnn       t|j_it       **K"       "y-lt       ii^rit       ii\\it       nil!       I!  \    I!  11  -l 

|      r "0"-"7"]      (     [ " 0 "-"7" ]     ) ? 

I        r  "  Q  " "  3  "  I        r"Q"-"7"i       r"Q»_»"7"'| 

) 


II  I  II 


■ 
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<  5TRING_LITERAL: 

(    (~["\""t  "\\", "\n", "\r"] ) 
i  ("\\" 

(  ["n","t","b","r","f","\\","" 

|  t"0"-"7"]   (  l"0'!-::7"]  )? 

I  [  " o "— "3 " ]  ["0"-"7"]  ["0"-"7"; 

) 


r\""] 


)  * 


TOKEN  :  /*  IDENTIFIERS  */ 


<  IDENTIFIER:  <LETTER>  (<LETTER> | <DIGIT>] 


#LETTER: 


"\u0024", 
"\u0041"= 
"\u005f", 
"\u0061"- 
n\u00c0"- 
"\u00d8"- 
"\u00f8"- 
"\u0100"- 
"\u3040"- 
"\u3300"- 
"\u3400"- 
"\u4e00"- 
"\uf900"- 


"\u005a", 

"\u007a", 
"\u00d6", 
"\u00f6", 
"\u00ff", 
"\ulfff", 
"\u318f", 
"\u337f", 
"\u3d2d", 
"\u9fff", 
"\ufaff" 


<  #DIGIT: 


"\u0030"- 
"\u0660"- 
"\u06f0"- 
"\u0966"- 
"\u09e6"- 
"\u0a66"- 
"\u0ae6"- 
"\u0b66"- 
"\u0be7"  = 
"\u0c66"- 
"\u0ce6"- 
"\u0d66"- 
"\u0e50"- 
"\uOedO"- 
"\ul040"- 


"\u0039" 
"\u0669" 
"\u06f9" 
"\u096f" 
"\u09ef" 
"\u0a6f" 
"\uOaef" 
"\u0b6f" 
"\uObef" 
"\u0c6f" 
"\uOcef" 
"\u0d6f" 
"\u0e59" 
"\u0ed9" 
"\ul049" 


< 

L PAR EN 

"  ( 

1     > 

"X. 

nn7\  n  pi\t 

tt  \ 
) 

i     ^ 

1    < 

LBRACE 

ii  r 

t 

'     > 

< 

RBRACE 

"} 

'      > 

1     < 

LBPACKET : 

*[" 

> 

1    < 

RERACKET : 

']" 

> 

■V 

SEMICOLON: 

r 

1     < 

COMMA:     "," 

> 

1    < 

DOT :     " 

"     > 

TOKEN 


/*    OPERATORS    */ 


ASSIGN:     "="    > 
GT:     ">"    > 
LT:     "<"    > 
BANG:     "!"    > 
TILDE:     "~"    > 
HOOK:     "?"    > 
COLON:     ":"    > 
Eq:     «==»    > 

LE:     "<="    > 
GE:     ">="    > 
NE:     "!="    > 
SC_OR:     "||"    > 
SC   AND:     "&&"    : 


INCR: 

DECR: 

PLUS: 

MINUS: 

STAR: 

SLASH: 


"  +  "    > 

11  +  11    V, 

"/"  > 

BIT_AND:     "&"    > 
BIT_OR:     " | "    > 
XOR:     "A"    > 
REM:     "%"    > 
LSHIFT:     "«"    > 
RSIGNEDSHIFT:     ' 
RUNSIGNEDSHIFT 
PLUSASSIGN: 
MINUSASSIGN 
STARASSIGN: 


"+="    > 

fl _  If   -^ 

> 


«  + . 


SLASHASSIGN:     "/="    > 
ANDASSIGN:     '*&  =  "    > 
ORASSIGN:     "|="    > 
XORASSIGN:     "A  =  "    > 
REMASSIGN:     "%="    > 
LSHIFTASSIGN:     "<<=" 
RSIGNEDSHIFTASSIGN: 


> 

">>  =  " 


<    RUNSIGNEDSHIFTASSIGN:     ">»= 
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*  THE    JAVA    LANGUAGE    GRAMMAR    STARTS    HERE    * 
•*•**  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  *  +  *  +  ■*•**•  +  +  +  +  +  '*•'*•*****■*-  +  +  + 

/* 

*  Program  structuring  syntax  follows. 
*/ 

Triple  CompilationUnit (Gamma  gamma)  : 

{Triple  cs  =  null; } 

i 

//[  PackageDeclaration!)  ] 

// (  ImportDeclaration ( )  )* 

(  cs  =  TypeDeclaration (gamma )  ) * 

<EOF> 

{ return  cs; ) 


void  PackageDeclaration  ( )  : 
{  } 


{ 

"package"  Name ( )  "; " 


void  ImportDeclaration ( )  : 

{} 

{ 

"import"  Named  [  "•"  "  +  "  ]  ";" 
} 

Triple  TypeDeclaration (Gamma  gamma)  : 
{Triple  cs  =  null;} 
{ 
(LOOKAHEAD(  (  "abstract"  I  "final"  I  "public"  )*  "class" 

cs  =  ClassDeclaration (gamma ) 
I 

Interf aceDeclaration (gamma) 
I 

" ; " ) 
{ return  cs ; } 


/* 

*    Declaration   syntax    follows. 
V 
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Triple  ClassDeclaration (Gamma  gamma)  : 

i 

i 

Triple  cs  =  null; 

Dual  d  =  new  Dual  (  cs  ,-  gamma  )  ; 
} 
{ 

(  "abstract"  |  "final"  |  "public"  )* 

"class"  <IDENTIFIER>  [  "extends"  Name ( )  ]  [  "implements"  NameList ( ) 

"{"  (  d  =  ClassBodyDeclaration (d. gamma)  ) *  "}" 

r 

i 

if  (d  !=  null) { 
I  return  d . c  s ; 

else  { 

return  cs; 
}//end  if 


Dual  ClassBodyDeclaration (Gamma  gamma 
{ 

Triple  cs  =  null; 

Dual  d  =  null; 


L00KAHEAD(2) 

Staticlnitializer ( ) 
I 
*/ 

LOOKAHEAD(  [  "public"  |  "protected"  |  "private"  ]  Name ( )  "("  ) 

cs  =  ConstructorDeclaration (gamma) 

{d  =  new  Dual (cs, gamma) ; } 
I 

LOOKAHEAD {  MethodDeclarationLookahead ( )  ) 

d  =  MethodDeclaration (gamma ) 
I 

d  =  FieldDeclaration (gamma)  ) 

{ 

System. out . println ( "Constraint  set:  "  +  d.cs); 
System. out . println ( "Gamma :  "  +  d. gamma); 
return  d; 

} 
1 

//  This  production  is  to  determine  lookahead  only, 
void  MethodDeclarationLookahead ( )  : 
{  ) 
{ 

(  "public"  |  "protected"  |  "private"  |  "static"  |  "abstract"  I 
"final"  |  "native"  I  "synchronized"  )* 

ResultType  ( )  < IDENTIFIED  "(" 
} 


41 


void  Interf aceDeclaration (Gamma  gamma)  : 
Triple  cS  =  null; } 

(  "abstract"  |  "public"  )* 

"interface"  <IDENTIFIER>  [  "extends"  NameListO 

"{"  (  Interf aceMemberDeclaration (gamma )  )+  "}" 


void  Interf aceMemberDeclaration (Gamma  gamma)  : 
} 

LOOKAHEAD(  MethodDeclarationLookahead ( )  ) 
MethodDeclaration (gamma) 

FieldDe clara t ion (gamma) 

Dual  FieldDeclaration (Gamma  gamma)  : 
Dual  d  =  null; 

(  "public"  !  "protected"  I  "private"  I  "static"  |  "final"  I 
"transient"  I  "volatile"  )* 

Type ( )   d  =  VariableDeclarator ( gamma )  ";" 

{ 

return  d; 

} 
} 

Dual  VariableDeclarator (Gamma  gamma)  : 
> 

Triple  cs  =  new  Triple ( sg .NextSymbol (),"") ; 

String  id; 
} 
{ 

id  =  VariableDeclaratorld ( )  (  "="  cs  =  Variablelnitializer (gamma) 
cs  =  Default ( )  ) 

{ 

gamma  -  gamma .Append (new  Gammaltem(id, cs . getType ( ) , "var" ) )  ; 
Dual  d  =  new  Dual(cs,  gamma); 

return  d; 

i 

i 

) 

Triple  Default ( )  : 

{} 

{ 

{return  new  Triple ( sg .NextSymbol () ,  "");) 
} 
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String  VariableDeclaratorld ( )  : 

{ String  id; J 

{ 

<  IDENTIFIED 

{id  =  token . image ; ] 
//   (»[»»]»)* 

{ return  id; } 

) 

Triple  Variablelnitializer (Gamma  gamma)  : 

{Triple  cs  =  null;} 

{ 

/* 

"{"  [  Variablelnitializer () (  L00KAHEAD(2)  ","  Variablelnitializer ( 
)*  ]  [  ","  ]  ")" 
I 
*/ 

cs  =  Expression (gamma ) 

( return  cs; ) 
} 

Dual  MethodDeclaration (Gamma  gamma)  : 
t 

Triple  cs  =  null; 

Dual  d  =  new  Dual ( cs, gamma ) ; 

Gamma  temp; 

Gamma  param  =  new  Gamma ( "param" ) ; 
) 
{ 

(  "public"  |  "protected"  I  "private"  I  "static"  I  "abstract"  I 
"final"  |  "native"  |  "synchronized"  )* 

ResultType ( ) 

temp  =  MethodDeclarator (gamma, d) 

{ 


whi 1 e (  !  ( t  emp . i  s  Emp  t  y ( )  )  )  { 

Gammaltem  gi  =  (Gammaltem) temp . getFromList ()  ; 
gamma  =  gamma .Append (gi ) ; 
param  =  param. Append (gi ) ; 
temp  =  temp. removeFromList ( )  ; 
} //end  while 
} 

[  "throws"  NameListO  ] 
(  cs  =  Block (gamma)  I  ";"  ) 
{ 

Gammaltem  GI  =  new  Gammal tern (d. id,  cs . getType ( ) ,  "proc"); 
GI . setParam (param) ; 
d. gamma  =  d. gamma .Append (GI ) ; 
return  new  Dual (cs, d. gamma) ; 
} 
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Gamma  MethodDeclarator (Gamma  gamma,  Dual  d)  : 

{ String  id; ) 

{ 

<IDENTIFIER>  {id  =  token . image ; } 

gamma  =  FormalParameters ( )  (  "["  "]"  )+ 

{ 

d.id  =  id; 
return  gamma; 

! 
) 

Gamma  FormalParameters ( )  : 
{Gamma  temp  =  new  Gamma ( "temp" ); } 
{ 

"("  [  temp  =  FormalParameter (temp)  (  ","  temp  =  FormalParameter ( temp! 
)  *  ]  " )  " 

{ return  temp; ( 


Gamma  FormalParameter (Gamma  gamma)  : 

{ String  id; } 

{ 

Type ( )  id  =  VariableDeclaratorld ( ) 
{ 

gamma  =  gamma .Append (new  Gammaltem ( id,  sg . Next Symbol ( ) , "var" ) ) ; 
return  gamma; 
} 
) 

Triple  ConstructorDeclaration (Gamma  gamma)  : 

{Triple  cs  =  null;) 

i 

[  "public"  |  "protected"  I  "private"  ] 

<IDENTIFIER>  gamma  =  FormalParameters  ( )  [  "throws"  NameListO  ] 

"{"  //[  L00KAHEAD(2)  ExplicitConstructorlnvocation  (  )  ] 
(  cs  =  BlockStatement (gamma)  )*  ")" 

{ return  cs; ) 


/* 

void  ExplicitConstructorlnvocation 

{} 

( 

"this"  Arguments ()  ";" 
I 

"super"  Arguments ( )  " ; " 
} 
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void  Staticlnitializer ( )  : 

{} 

"static"  Block ( ) ) 


*  Type,  name  and  expression  syntax  follows 

*  / 


void  Type ( )  : 

(  PrimitiveType ( )  I  Name ( )  )  (»[»»]»)* 

void  PrimitiveType ( )  : 

"boolean" 

"char" 

"byte" 

"short" 

"int" 

"long" 

"float" 

"double" 

void  ResultType ( )  : 

"void" 

Type() 
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String  Name ( )  : 
/* 

*  A  lookahead  of  2  is  required  below  since  "Name"  can  be  followed 

*  by  a  ".*"  when  used  in  the  context  of  an  "ImportDeclaration" . 
*/ 

{ String  id; } 

i 

<  IDENTIFIED 

{id  =  token . image ; } 
//   (  LOOKAHEAD ( 2 )  " . "  <IDENTIFIER>  )* 

{ return  id; } 
} 

void  NameList ( )  : 

{} 

{ 

Name ( ) 

(  ",  "  Named 

}* 
} 


/* 

*  Expression  syntax  follows. 
*/ 

Triple  Expression (Gamma  gamma)  : 

(Triple  cs; } 

{ 

(  LOOKAHEAD (  PrimaryExpression ( gamma  )  AssignmentOperator 

cs  =  Assignment (gamma ) 
I 

cs  =  ConditionalOrExpression (gamma)  ) 

{ return  cs; } 
} 
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Triple  Assignment (Gamma  gamma) 
{ 

String  id; 

Triple  c  s ; 


id  =  PrimaryLef tExpression ( )  AssignmentOperator ( )  cs 
Expression ( gamma ) 


Gammaltem  item  =  gamma . FindType (id) ; 
if (item  !=  null) { 

String  mod  =  item. getModif ier () ; 

if (mod. equals ( "var" )  ||  mod . equals ( "ace"  ))  { 

String  tau  =  item. getType () ; 

String  tauPrime  =  cs . getType () ; 

String  alpha  =  sg. Next Symbol () ; 

Constraintltem  cil  =  new  Constraintltem ( tau, tauPrime) ; 

Constraintltem  ci2  =  new  Constraintltem ( tauPrime, tau) ; 

Constraintltem  ci3  =  new  Constraintltem (alpha, tauPrime ) ; 

cs  =  cs .Append ( cil ) 

cs  =  cs .Append ( ci2 ) 

cs  =  cs .Append ( ci3 ) 

cs . setModif ier ( "cmd" 

cs.setType(alpha)  ; 


else  { 

System. err . println ( "Secure  Parse  failed"); 
System. exit ( 0 ) ; 
)  //end  if 
} 
else  { 

System. out .println ( "Unrecognized  variable  "  +  id); 
System. exit  (  0 ) ; 
)//end  if 
return  cs; 


void  AssignmentOperator 
{} 


it_.ii     ti  +  _.»i     " /="     "a 

f i  r  -  "   I    n  a it    I    tt  I  _  tt 


'&=' 


-It    I     It  _L II         It 


+=" 


»«=»  I  ">>="  I  ">»= 


/* 

void  ConditionalExpression 


ConditionalOrExpression ( ) 
ConditionalExpression ( )  ] 
} 
V 


[  "?"  Expression 
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Triple  ConditionalOrExpression (Gamma  gamma)  : 

r 

l 

Triple  csl; 

Triple  cs2  =  null;} 
i 

csl  =  ConditionalAndExpression (gamma )   (  "| I"  cs2  = 
ConditionalAndExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 
String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem (taul, tau2 
Constraintltem  ci2  =  new  ConstraintItem( tau2, taul 
csl  =  csl .Union (cs2 ) .Append (cil ) .Append (ci2 ) ; 
} 
} 

)* 
{ return  csl ; } 


Triple  ConditionalAndExpression (Gamma  gamma! 

i 
\ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  InclusiveOrExpression (gamma)  (  "&&"  cs2  = 
InclusiveOrExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 
String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  ConstraintItem(taul , tau2 
Constraintltem  ci2  =  new  ConstraintItem( tau2 , taul 
csl  =  csl .Union (cs2 ) .Append ( cil ) .Append (ci2 ) ; 
1 
} 

)* 

{ return  csl ; } 
} 
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Triple  InclusiveOrExpression (Gamma  gamma' 
{ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  ExclusiveOrExpression (gamma )  (  "|"  cs2  = 
ExclusiveOrExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType  ()  ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem ( taul, tau2 [ 

Constraintltem  ci2  =  new  Constraintltem ( tau2 , taul 

csl  =  csl .Union (cs2 ) .Append (cil ) .Append (ci2 ) ; 


return  csl ; } 


Triple  ExclusiveOrExpression ( Gamma  gamma! 

/ 
\ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  AndExpression (gamma)  (  """    cs2  =  AndExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType  ()  ; 

String  tau2  =  cs2 . getType  () ; 

Constraintltem  cil  =  new  Constraintltem ( taul , tau2 )  ; 

Constraintltem  ci2  =  new  Constraintltem ( tau2 , taul ) ; 

csl  =  csl .Union (cs2 ) .Append (cil ) .Append (ci2 ) ; 


return  csl; 


4l) 


Triple  AndExpression (Gamma  gamma 
{ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  EqualityExpression (gamma)  (  "&"  cs2  =  EqualityExpression (gamma ] 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraint-Item  cil  =  new  ConstraintItem( taul , tau2 ) ; 

Constraintltem  ci2  =  new  ConstraintItem( tau2 , taul ) ; 

csl  =  csl .Union  (cs2 )  .Append (cil )  .Append (ci2 )  ; 


} 
} 

)* 
{ return  csl ; 


Triple  EqualityExpression (Gamma  gamma 
{ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  RelationalExpression (gamma)  (  (  "=="  |  "!=»  )  CS2  = 
RelationalExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 
String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  ConstraintItem( taul, tau2 ) ; 
Constraintltem  ci2  =  new  ConstraintItem(tau2, taul) ; 
csl  =  csl .Union (cs2 ) .Append (cil ) .Append (ci2) ; 
} 
} 

)  + 

( return  csl ; } 
} 

/* 

void  InstanceOf Expression ( )  : 

{} 

{ 

RelationalExpression ( )  [  "instanceof"  Type ( )  ] 
} 
*/ 
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Triple  RelationalExpression (Gamma  gamma) 

{ 

Triple  csl; 
Triple  cs2  =  null; 


csl  =  ShiftExpression (gamma)  (  (  "<"  |  ">"  |  "<="  |  ">="  )  cs2 
Shif tExpression (gamma) 
{ 

if  (cs2  !=  null)  { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem ( taul , tau2 ) ; 

Constraintltem  ci2  =  new  Constraintltem ( tau2 , taul ) ; 

csl  =  csl .Union (cs2 )  .Append (cil)  .Append (ci2)  ; 


return  csl; 


! 


Triple  Shif tExpression ( Gamma  gamma)  : 
{ 

Triple  csl; 
Triple  cs2  =  null; 
} 
{ 

csl  =  AdditiveExpression  (gamma)  (  (  "<<"  |  ">>"  |  ">»"  )  cs2  = 
AdditiveExpression (gamma ) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem (taul , tau2 ) ; 

Constraintltem  ci2  =  new  ConstraintItem( tau2, taul) ; 

csl  =  csl .Union (cs2 ) .Append ( cil ) .Append (ci2 ) ; 


)* 

{ return  csl ; 
} 
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Triple  AdditiveExpression (Gamma  gamma)  : 

{ 

Triple  csl; 

Triple  cs2  =  null; 
) 
{ 

csl  -  MultiplicativeExpression (gamma)   (  (  "+"  |  "-"  )  cs2  = 
MultiplicativeExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem ( taul , tau2 ) ; 

Constraintltem  ci2  =  new  Constraintltem (tau2, taul ) ; 

csl  =  csl . Union  (cs2 )  .Append (cil )  .Append ( ci2 ) ; 


return  csl; 


Triple  MultiplicativeExpression (Gamma  gamma 
{ 

Triple  csl; 

Triple  cs2  =  null; 


csl  =  UnaryExpression (gamma)  (  (  "+"  I  "/"  |  "-"  )  cs2  = 
UnaryExpression (gamma) 
{ 

if (cs2  !=  null) { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem ( taul , tau2 ) ; 

Constraintltem  ci2  =  new  Constraintltemf tau2 , taul ) ; 

csl  =  csl .Union (cs2 ) .Append (cil ) .Append (ci2 ) ; 


{ 


return  csl; 
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Triple  UnaryExpression (Gamma  gamma)  : 

{Triple  cs; ) 

{ 

((  "+"  |  "-"  )  cs  =  UnaryExpression (gamma ) 
I 
/* 

PrelncrementExpression  ( ) 
I 

PreDecrementExpression ( ) 
I 
*/ 

cs  =  UnaryExpressionNotPlusMinus (gamma)  ) 

{ return  cs; ) 
} 

/* 

void  PrelncrementExpression ( )  : 

{  ) 

{ 

"++"  PrimaryExpression  (  ) 
} 

void  PreDecrementExpression ( )  : 

{} 

{ 

"--"  PrimaryExpression)) 
} 
*/ 

Triple  UnaryExpressionNotPlusMinus (Gamma  gamma) 

{Triple  cs; } 

{ 

((  "~"  I  "!"  )  cs  =  UnaryExpression (gamma) 
I 
/* 

LOOKAHEAD(  CastLookahead ( )  ) 

CastExpression ( ) 
I 
*/ 

cs  =  Postf ixExpression (gamma)  ) 

{ return  cs ; } 
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/* 

//  This  production  is  to  determine  lookahead  only.   The  LOOKAHEAD 
//  specifications  below  are  not  used,  but  they  are  there  just  to 
//  indicate  that  we  know  about  this, 
void  CastLookahead ( )  : 


LOOKAHEAD ( 2 ) 

"("  PrimitiveType ( ) 


LOOKAHEAD ( " ( "  Name 
" ( "  Name ( ) 


it  r  T1    M  1  Tl 


"("  Named  ")"  (  "~"  I  "<"  I  "("  I  <IDENTIFIER>  |  "this"  |  "super" 
new"  |  Literal  ()  ) 

*/ 

Triple  Postf ixExpression (Gamma  gamma)  : 
Triple  cs ; } 

cs  =  PrimaryExpression (gamma)  //[  "++"  |  "--"  ] 
{ return  cs; } 


/* 

void  CastExpression ( )  : 
} 

( LOOKAHEAD ( 2 ) 

"("  PrimitiveType ()  (  "["  "]"  )*  ")"  UnaryExpression ( ) 

"("  Named   (  "["  "]"  )*  ")"  UnaryExpressionNotPlusMinus 

*/ 

Triple  PrimaryExpression (Gamma  gamma)  : 
Triple  cs  =  null;} 

cs  =  PrimaryPrefix (gamma)  // (  PrimarySuf fix (gamma)  )* 

{ return  cs; } 
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Triple  PrimaryPref ix ( Gamma  gamma)  : 
{ 

Triple  cs  =  null; 
Triple  csl  =  null; 
Triple  cs2  =  null; 
String  id  =  null; 
Gamma  temp  =  null; 
] 
{ 

( cs  =  Literal  (  ) 
I 

["this"  "."]  id  =  Named 
{ 

Gammaltem  item  =  gamma . FindType ( id) ; 
if (item  !=  null) { 

String  mod  =  item. getModif ier ( ) ; 
if (mod. equals ( "var" )  II  mod. equals ("")) { 
String  tau  =  item. getType ( ) ; 
String  alpha  =  sg . NextSymbol ( ) ; 

Constraintltem  cxl  =  new  ConstraintItem( tau, alpha ) ; 
cs  =  new  Triple ( cil , alpha ,"") ; 
} 

else  if (mod. equals ( "proc" )) { 
temp  =  item. getParam ( ) ; 

i 

i 

else  { 

System. err . println ( "Secure  Parse  failed"); 
System. exit ( 0 ) ; 
J //end  if 
} 
else  { 

System. out . println ( "Undefined  variable:  "  +  id); 
//     System. exit ( 0) ; 

temp  =  new  Gamma ( "temp" ) .Append (new  Gammaltem ("", sg, "")) ; 
}//end  if 
} 

[  "("  [  csl  =  PrimaryPref ix (gamma) 
{ 

//create  constraint  type (csl)  =  type (param) 

String  tauPrime  =  csl . getType () ; 

String  taul  =  ( (Gammaltem) temp . getFromList ()). getType () ; 

temp . removeFromList ( ) ; 

Constraintltem  cil  =  new  Constraintltem (taul , tauPrime) ; 

Constraintltem  ci2  =  new  Constraintltem (tauPrime, taul ) ; 

//add  constraint  to  csl 

csl  =  csl .Append (cil) .Append (ci2) ; 

cs  =  csl; 
} 

(  ","  cs2  -  PrimaryPref ix (gamma) 
{ 

//create  constraint  type(cs2)  -   type (param) 

String  tauDoublePrime  =  cs2 . getType () ; 

String  tau2  =  ( (Gammaltem) temp . getFromList ()). getType () ; 

temp. removeFromList ( ) ; 

Constraintltem  ci3  =  new  Constraintltem ( tau2 , tauDoublePrime) ; 
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Constraintltem  ci4  =  new  Constraintltem ( tauDoublePrime, tau2 ) ; 

//csl  Union  cs2 

csl  =  csl .Union (cs2 ) ; 

//add  constraint  to  csl 

csl  =  csl .Append ( ci3) .Append (ci4 ) ; 

c  s  =  csl; 

) 

)  *  ]  " )  "  1 
/  + 
I 

"this" 
I 

"super"  "."  <IDENTIFIER> 
*/ 
I 

"("  cs  =  Expression (gamma)  ")" 
/* 
I 

AllocationExpression ( ) 
*/ 

) 

{  return  cs ; } 
} 

/* 

Triple  PrimarySuf f ix ( )  : 

{} 

{ 

" ["  Expression ()  "J " 
I 

"."  <IDENTIFIER> 
I 

Arguments ( ) 
} 
*/ 

String  PrimaryLeftExpression ( )  : 

{} 

{ 

[  "  ("  ]  [  "this"  "."  ]  Named  [  ")  "  ] 

{return  token. image; } 
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Triple  Literal ( )  : 

{  ) 

{ 

(  <INTEGER_LITERAL> 
I 

<FLOATING_POINT_LITERAL> 

I 

<CHARACTER_LITERAL> 
I 

<STRING_LITERAL> 
I 

BooleanLiteral ( ) 
I 

NullLiteral ( )  ) 

{return  new  Triple  (  sg . NextSymbol (),"" )  ; 
} 

void  BooleanLiteral ( )  : 

{  } 

{ 

"true" 
I 

"false" 
} 

void  NullLiteral ( )  : 

{} 

f 

"null" 
} 

/* 

void  Arguments ( )  : 


"("  [  ArgumentList ( )  ]  ")" 
} 

Triple  ArgumentList (Gamma  gamma)  : 

{  } 

{ 

Expression ( )  (  ","  Expression ()  ) 
} 
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void  AllocationExpression 


L00KAHEAD(2) 

"new"  PrimitiveType ( )  ArrayDimensions ( ) 
I 

"new"  Name ( )  (  Arguments ( )  I  ArrayDimensions ( )  ) 
} 
V 

/*  The  second  LOOKAHEAD  specification  below  is  to  parse  to 

*  PrimarySuf f ixif  there  is  an  expression  between  the  "[...]".  +/ 
/* 

void  ArrayDimensions ( )  : 
{  } 
! 

(  LOOKAHEAD (2)  " [ "  Expression ()  "]"  )+  (  LOOKAHEAD  (2)  "["  "]"  p 
} 
*/ 

/* 

+  Statement  syntax  follows. 
*/ 
Triple  Statement (Gamma  gamma)  : 
(Triple  cs  =  null;} 
{ 

(LOOKAHEAD (2) 
/* 

LabeledStatement ( ) 

/ 

cs  -  Block (gamma) 

cs  =  EmptyStatement (gamma) 

cs  =  StatementExpression (gamma)  " ; " 

SwitchStatement ( ) 

/ 
cs  =  If Statement ( gamma ) 

cs  =  WhileStatement (gamma) 

cs  =  DoStatement (gamma) 


ForStatement ( ) 
BreakStatement ( ) 
ContinueStatement ( ) 
ReturnStatement ( ) 
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ThrowStatement ( ) 

Synch roni zeds tat ement 

TryStatement ( ) 
7 
) 
{ return  cs; } 


/* 

void  LabeledStatement ( )  : 

{  1 

{ 

<IDENTIFIER>  ":"  Statement ( ) 
} 
*/ 

Triple  Block (Gamma  gamma)  : 

{Triple  cs; } 

{ 

"{"  cs  =  BlockStatementList (gamma)  "}" 

{ return  cs ; ] 


Triple  BlockStatementList (Gamma  gamma) 
{ 

Triple  csl  =  null; 

Triple  cs2; 
} 


I 


(  L00KAHEAD(2)  cs2  =  BlcckStatement ( gamma ) 

r 

i 

if (cs2  !=  null)  { 
if  (csl  ==  null)  { 

csl  =  cs2; 
) 
else  { 

String  taul  =  csl . getType () ; 

String  tau2  =  cs2 . getType () ; 

Constraintltem  cil  =  new  Constraintltem ( taul, tau2) ; 

Constraintltem  ci2  =  new  Constraintltem ( tau2 , taul ) ; 

csl  =  csl . Union (cs2 ) ; 

csl  =  csl .Append ( cil )  ; 

csl  =  csl .Append (ci2  )  ; 
}//end  if 
}//end  if 


return  csl; 


59 


Triple  Blocks tatement (Gamma  gamma)  : 

{Triple  cs; ) 

{ 

( LOO KAHEAD (Type ( )  <IDENTIFIER> ) 

cs  =  LetvarStatement (gamma ) 
I 

cs  =  Statement (gamma ) ) 

{ return  cs; } 
} 

Triple  LetvarStatement  (Gamma  gamma) 
{ 

Dual  d; 

Triple  cs  =  null; 
} 
{ 

d  =  LocalVariableDeclaration (gamma! 

{ gamma  =  d . gamma ; ) 

cs  =  BlockStatementList (gamma) 

{ 

if (cs  !=  null) { 
cs .Union  (d. cs )  ; 
cs . setModif ier ( "cmd" ) ; 
} 
else  { 

cs  =  d. cs ; 
} 
return  cs; 


Dual  LocalVariableDeclaration (Gamma  gamma)  : 

{Dual  d; } 

{ 

Type ( ) 

d  =  VariableDeclarator (gamma) 
(  ","  VariableDeclarator (gamma)  )* 

{ return  d; } 
} 

Triple  EmptyS tatement (Gamma  gamma)  : 

{} 

{ 

IT  .  It 
f 

{return  new  Triple (sg.NextSymbol (), "cmd" ); J 
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Triple  StatementExpression (Gamma  gamma)  : 
/  + 
+  The  last  expansion  of  this  production  accepts  more  than  the  legal 
*  Java  expansions  for  StatementExpression. 
V 
{ Triple  cs ; ) 
{ 

(  LOOKAHEAD (  PrimaryExpression ( gamma )  AssignmentOperator (gamma)  ) 
cs  =  Assignment (gamma) 
I 

cs  =  Postf ixExpression (gamma )  ) 
{ return  cs ; ) 
} 

/* 

void  SwitchStatement ( )  : 

{) 

{ 

"switch"  "("  Expression ()  ")"  "{" 

(  SwitchLabel ( )  (  BlockStatement ( )  ) +  )* 

"}" 
} 

void  SwitchLabel ( )  : 

{) 

{ 

"case"  Expression ()  ":" 
I 

"default"  ":" 
) 
*/ 
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Triple  If Statement (Gamma  gamma)  : 
/* 

*  The  disambiguating  algorithm  of  JavaCC  automatically  binds  dangling 

*  else's  to  the  innermost  if  statement.   The  LOOKAHEAD  specification 

*  is  to  tell  JavaCC  that  we  know  what  we  are  doing. 
*/ 

{ 

Triple  cs; 
Triple  csl; 
Triple  cs2  =  null; 


"if"  "("  cs  =  Expression (gamma)  ")" 

csl  =  Statement (gamma) 

[  LOOKAHEAD(l)  "else"  cs2  =  Statement (gamma)  ] 

{ 

String  tau   =  cs . getType ( ) ; 

String  taul  =  csl . getType () ; 

String  alpha  =  sg . NextSymbol ( ) ; 

Constraintltem  cil  =  new  ConstraintI tern ( tau, taul ) ; 

Constraintltem  ci2  =  new  Constraintltem (taul, tau) ; 

Constraintltem  ci3  =  new  Constraintltemfalpha, tau) ; 

cs  =  cs . Union (csl ) .Append (cil ) .Append ( ci2 ) .Append (ci3 ) ; 

cs . setType (alpha ) ; 

cs . setModif ier ( "cmd" ) ; 

if (cs2  !=  null) { 

String  tau2  =  cs2 . getType () ; 

Constraintltem  ci4  =  new  ConstraintItem( tau, tau2 ) ; 
Constraintltem  ci5  =  new  ConstraintItem( tau2, tau) ; 
Constraintltem  ci6  =  new  ConstraintItem( taul, tau2 ) ; 
Constraintltem  ci7  =  new  Constraintltem (tau2 , taul ) ; 
cs  = 
cs .Union (cs2) .Append(ci4) .Append(ci5) .Append(ci6) .Append(ci7) ; 
}//end  if 
return  cs; 
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Triple  WhileStatement (Gamma  gamma) 
{ 

Triple  csl  =  null; 

Triple  cs2  =  null; 


"while"  "("  csl  -  Expression (gamma )  ")"  cs2  =  Statement (gamma ] 
{ 

String  tau  =  csl . getType () ; 

String  tauPrime  =  cs2 . getType () ; 

String  alpha  =  sg . NextSymbol () ; 

Constraintltem  cil  =  new  Constraintltem (tau, tauPrime )  ; 

Constraintltem  ci2  =  new  Constraintltem ( tauPrime, tau) ; 

Constraintltem  ci3  =  new  Constraintltem (alpha, tau) ; 

csl  =  csl .Union (cs2 ) .Append ( cil ) .Append ( ci2 ) .Append (ci3) ; 

csl . setType (alpha ) ; 

csl . setModif ier ( "cmd"  )  ; 

return  csl; 


Triple  DoStatement (Gamma  gamma; 
{ 

Triple  csl  =  null; 

Triple  cs2  =  null; 


I 


"do"  cs2  =  Statement (gamma)  "while"  "("  csl  =  Expression (gamma! 


String  tau  =  csl . getType () ; 

String  tauPrime  =  cs2 . getType () ; 

String  alpha  =  sg. NextSymbol () ; 

Constraintltem  cil  =  new  Constraintltem ( tau, tauPrime) ; 

Constraintltem  ci2  =  new  ConstraintItem( tauPrime, tau) ; 

Constraintltem  ci3  =  new  Constraintltem (alpha, tau) ; 

csl  =  csl .Union ( cs2 ) .Append (cil ) .Append (ci2 ) .Append (ci3) ; 

csl . setType (alpha) ; 

csl . setModif ier ( "cmd") ; 

return  csl; 


i 


/* 

void  ForStatement ( )  : 

U 

{ 

"for"  "("  [  ForlnitO  ] 
[  Expression 


ForUpdateO  ] 


Statement 
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void  Forlnit ( )  : 

LOOKAHEAD(  Type ( )  <TDENTIFIER>  ) 
LocalVariableDeclaration ( ) 

StatementExpressionList ( ) 
void  StatementExpressionList ( )  : 

StatementExpression ( )  (  ","  StatementExpression 

void  ForUpdate ( )  : 

StatementExpressionList ( ) 
void  BreakStatement ( )  : 

"break"  [  < IDENTIFIED  ] 
void  ContinueStatement ( )  : 

"continue"  [  <IDENTIFIER>  ]  ";" 


void  ReturnStatement ( )  : 
} 

"return"  [  Expression ( )  ] 


void  ThrowStatement ( )  : 

"throw"  Expression () 

void  SynchronizedStatement ( )  : 

"synchronized"  "("  Expression ( )  ")"  Block ( 
} 
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void  TryStatement ( ) 


"try"   Block () 

(  "catch"  "("  FormalParameter ( )  ")"  Block ()  ) 

[  "finally"  Block ( )  ] 

7 
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APPENDIX  B  -  STATIC  ANALYZER  SOURCE  CODE 
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//  File:  Gamma. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.   Basically  a  linked  list. 

package  thesis; 

import  java.io.*; 

public  class  Gamma 
i 

protected  Object  ob  j  ; 

protected  Gamma  next; 

protected  Gamma  rear  =  null; 

public  String  name; 

public  Gamma (String  name) 
{ 

this.obj  =  null; 

this. next  =  this; 

this. name  =  name; 

if ( rear  ==  null ) 
rear  =  this; 


private  Gamma ( ) 
{ 

this.obj  =  null; 

this. next  =  this; 


public  Object  getFromList ( ) 
{ 

return  this.obj; 
] 

public  Gamma  removeFromList ( ) 
{ 

return  this. next; 


public  synchronized  boolean  isEmpty 
{ 

if (this  ==  rear) 

return  true; 
else 

return  false; 
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public  Gamma  Append (Gamma Item  gi ) 
{ 

Gamma  g  =  new  Gamma ( ) ; 

g.obj  =  gi; 
g.next  =  this; 
retur n  g ; 


public  Gammaltem  FindType ( String  name) 

Gammaltem  temp  =  null; 

Gamma  list  =  this; 

boolean  matchFound  =  false; 

do{ 

ifilist.obj  ==  null) 
return  null; 

String  item  =  (( Gammaltem) list . obj ). Name; 

if ( item. equals (name ) ) { 

temp  =  (Gammaltem) list .  obj ; 

matchFound  =  true; 
} 
else  ( 

list  =  ( Gamma ) list . next  ; 
}//end  if 
j while ( ! matchFound) ; 

return  temp; 


public  String  toString() 
{ 

if (isEmpty ( ) ) 
return  ""; 

else 

return (this . obj  +  ""  +  this. next); 
i 

}//end  gamma  class 
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/  /**±ir  +  **  +  *  +  **  +  ±  +  +  +  ic**ir  +  +  +  +  *  +  +  irieir  +  +  **  +  +  +  +  +  ±  +  +  **+  +  ic  +  +  +  +  +  +  +  +  -)r-)r  +  -k  +  +  -1rie-k-)c-k-ir  + 

//  File:  Gammal tern. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.   It  is  an  item  to  be  placed  into  gamma.  The 

//  structure  consists  of  a  name  and  a  type.   The  type  may 

//  consist  of  1-3  fields. 

package  thesis; 

import  java.io.+; 

public  class  Gamma I tern 
{ 

protected  String  Name; 

protected  String  Type; 

protected  String  Modifier; 

private  Gamma  param; 

public  GammaItem(String  Name,  SymbolGenerator  sg,  String  mod) 
{ 

this. Name  =  Name; 

this. Type  =  sg . NextSymbol ( ) ; 

this .Modifier  =  mod; 
1 

public  Gammaltem( String  Name,  String  Type,  String  mod) 
{ 

this. Name  =  Name; 

this. Type  =  Type; 

this .Modi fier  =  mod; 


public  void  set Param (Gamma  gammal 
this. param  =  gamma; 


public  Gamma  getParamf) 
{ 

return  this. pa ram; 


public  String  getName 
{ 

return  this. Name; 


public  String  getType ( ) 
{ 

return  this. Type; 
} 
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public  String  getModif ier ( ) 
{ 

return  this .Modifier ; 
) 

public  String  toString() 
{ 

if (Modifier . equals ( "proc" )  )  { 

return  ("("+  Name  +":"+  Type  +  Modifier  +"("+  param  +")"+")"); 
) 
elsel 

return  (  "("  +  Name  +  ":"  +  Type  +   Modifier  +  ")"  ); 
] //end  if 
} 
//end  class 
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//  +  +  *  +  +  +  +  **  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  +  +  +  *  +  *  +  *  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *■  +  *■+■  +  +  +■+■*■ 

II  File:  Triple. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.   The  structure  consists  of  a  constraint  set 

//  and  a  principle  type.   The  type  may  consist  of  1-2 

//  fields. 

//******  +  *  +  +  +  ***  +  **  +  **  +  +  +  +  **  +  **  +  **  +  +  ***  +  +  ***  +  +  +  *  +  *  +  *  +  +  +  +  +  +  *  +  +  +  ***  +  ■»-**•*•-*- 

package  thesis; 

public  class  Triple 
{ 

private  LinkedList  ConstraintSet ; 

private  String  Type; 

private  String  TypeModif ier ; 

public  Triple  (  ) 
( 

this. Type  =  "Type"; 

this .TypeModif ier  =  "mod"; 

ConstraintSet  =  new  LinkedList ( "name" ) ; 


public  Triple (Constraintltem  ci,  String  Type,  String  Modifier; 
{ 

ConstraintSet  =  new  LinkedList ( "name" ) ; 

this. Type  =  Type; 

this . TypeModif ier  =  Modifier; 

ConstraintSet  =  ConstraintSet . addToList (ci ) ; 


public  Triple (LinkedList  ConstraintSet,  String  Type,  String  Modifier) 
{ 

this. Type  =  Type; 

this .TypeModif ier  =  Modifier; 

this . ConstraintSet  =  ConstraintSet; 
} 

public  Triple  (String  Type,  String  Modifier) 
{ 

this. Type  =  Type; 

this. TypeModif ier  =  Modifier; 

ConstraintSet  =  new  LinkedList ( "name" ) ; 
] 

public  String  getType ( ) 
{ 

return  this. Type; 
) 
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public  String  getModif ier ( ) 
< 

return  this . TypeModif ier ; 


public  void  setModif ier (String  Modifier) 
{ 

this . TypeModif ier  -  Modifier; 

i 
i 

public  void  setType (String  type) 
{ 

this. Type  =  type; 
) 

public  Triple  Union  (Triple  setTwo) 
{ 

LinkedList  temp  =  this . ConstraintSet ; 
if ( (Constraintltem) temp. obj  ==  null){ 

return  new  Triple (setTwo . ConstraintSet , this . Type, 

this . TypeModif ier ) 
] 

while (temp . next . obj  !=  null){ 
temp  =  temp. next; 


temp. next  =  setTwo . ConstraintSet ; 

this . ConstraintSet . rear  =  setTwo . ConstraintSet . rear ; 

return   new  Triple (this. ConstraintSet, this. Type, this. TypeModif ier ) ; 


public  Triple  Append (Constraintltem  C) 
! 

return  new  Triple ( this . ConstraintSet . addToList (C) ,  this. Type, 

this .TvpeModif ier ) ; 
1 

public  String  toString() 
{ 

return ("{"+" ["+  ConstraintSet  +"]"+","+  Type  +  TypeModifier  +"]"  ); 

i 

; 

i //end  class 
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//  +  +  +  +  +  +  4-  +  +  ^4.  +  +  +  +  +  +  +  +  +  +  +  +  +  +  ^*  +  +  +  +  +  +  *+  +  +  4-  +  +  +  +  +  +  +  +  +  +  4-  +  +  +  +  +  *  +  4-->-  +  -*-  +  *+  +  *,l.*-l-* 

//  File:  Constraintltem. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.   The  structure  consists  two  types. 

package  thesis; 

public  class  Constraintltem 

r 
i 

protected  String  Typel; 

protected  String  Type2; 

public  ConstraintItem(String  Typel,  String  Type2 ) 
! 

this. Typel  =  Typel; 

this.Type2  =  Type2; 


public  String  toString ( ) 
( 

return  (  "("  +  Typel  +  ","  +  Type2  +  ")"  ); 


} 

i 
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//  File:  LinkedList . Java 

//  Date:  24  Feb  96 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer. 

package  thesis; 

public  class  LinkedList 
f 

protected  Object  ob  j  ; 

protected  LinkedList  next; 

protected  LinkedList  rear  -  null; 

public  String  name; 

public  LinkedList ( String  name) 

i 

i 

this.obj  =  null; 
this. next  =  this; 
this. name  =  name; 

if (rear  ==  null) 
rear  =  this; 


private  LinkedList ( 
i 

this.obj  =  null; 

this. next  =  this; 


public  LinkedList  addToList (Ob ject  o] 
{ 

LinkedList  1  =  new  LinkedList ( ) ; 

1 .  ob  j  =  o; 

l.next  =  this; 

return  1; 


public  Object  getFromList ( ) 
return  this.obj; 

public  LinkedList  remove FromList ( ) 
return  this. next; 
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public  synchronized  boolean  isEmptyO 
{ 

if (this  ==  rear) 

return  true; 
else 

return  false; 


public  String  toString ( ) 
{ 

if (isEmpty ( ) ) 
return  ""; 

else 

return ( this . obj  +  "  "  +  this. next); 
i 

//end  class 
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//  File:  SyrnbolGenetator .  Java 

//  Date:  24  Feb  9  8 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.  Generates  new  type  variables 

package  thesis; 

import  j ava . io , + ; 


public  class  SymbolGenerator 
{ 

private  int  counter  =  0; 

private  static  String  TAU  =  "tau"; 

public  synchronized  String  NextSymbol ( ) 
f 

String  Symbol  =  TAU  +  counter; 

counter++; 

return  Symbol; 


public  static  void  main (String  []  args) 

; 

i 

SymbolGenerator  sg  =  new  SymbolGenerator 

for (int  i  =  0;  i  <  10;  i++) { 

System. out .print In (sg. NextSymbol ( ) ) ; 

i 
j 

} 

} //end  class 
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//  +  +  ±*  +  +  +  +  +  ±  +  +  ±  +  +  +  ±  +  ±  +  +  +  +  ±  +  +  +  +  *  +  ±  +  ±±  +  ±±  +  +  +  +  ±  +  +  +  +  +  +  +  +  +  +  +  +  ±  +  +  +  ±  +  +  +  -)r-k-)r->r  +  +  + 

II  File:  SyrobolGenetator  .  j ava 

//  Date:  2  4  Feb  9  8 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer.  A  data  structure 

//  +  ±  +  ++  +  +  +  *  +  +  +  +  +  +  +  +  ±  +  +  +  +  +  +  +  +  +  +  +  ±  +  ±  +  +  +  +  ±  +  ±+  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  +  ±±±-tr  +  -)r-*-+-± 

package  thesis; 

public  class  Dual 
{ 

public  Triple  cs; 

public  Gamma  gamma; 

public  String  id; 

public  Dual (Triple  cs,  Gamma  gamma) 
{ 

4-v. .:  _  ,-,_  ..  _„  , 

t-iiXo.wo   —   wo  , 

this. gamma  =  gamma; 
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APPENDIX  C  -  TEST  PROGRAMS 
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//  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *■ 

//  File:  test. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer. 

//    +    +    +    ±    +    +   +    +   +    +    +   +    +    +   +    +    +   +   ±±±±    +   +    +    +    +    +    +    +    ±    +    +    +    +   +    +    +    +   +    +    ±    +   +   +   +   +   +    +    ±    +    ±    +    +    +    +   +   +    +    +   -k-k-)r    +    -lr    +   + 

class  test 
{ 

public  static  void  pl(int  x,  int  y) 

{ 

y  =  x; 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

Constraint  set:  {13  <  T2,  T2  =  Xi,  to  <  12} 
Gamma:  pi  :  x^proc  (x0var,    Xivar) 

Results  show,  with  x:  x()var  and  y:  iivar,  that  Xo  <  Xi.  This  is  what  we  would  expect  to 
ensure  secure  flow  since  the  program  assigns  the  value  of  x  to  y. 
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//  +  +  +  +  +  +  +  +  *-  +  *  +  +  **-  +  **  +  *7k-  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  + 

//  File:  test. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information  flow  static 

//  analyzer. 

//  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  ■*-  + 

class  test 
{ 

public  static  void  pl(int  x,  int  y) 

{ 

i  f ( x  ==  0 ) 

y  =  0; 
else 

y  -  1; 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 

Constraint  set:  {17  =  X5, 17  =  i:,  Xs  <  X2,  X5  =  X2,  X3  =  X2, 
Xo  <  X2,  T5  <  X4,  14  =  Xi,  x7  <  x6,  X6  =  Xi   } 
Gamma:  pi  .  Xsproc  (Xovar,    iivar) 


//  +  *  +  +  +  +  +  +  **  +  +  +  *  +  +  +  +  +  +  *  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  ■*•  +  +  +  •*•  +  ■*■-*-  +  ■*•  +  ■*• 

//  File:  test. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information 

//  flow  static  analyzer. 

//**  +  **  +  +  +  +  +  +  +  *  +  +  +  *  +  +  +  +  +  +  +  +  *  +  +  +  +  +  +  +  •  +  +  +  +  +  +  +  +  +  +  ■*-*  +  +  +  +  +  ■*•  +  +  *-*--*• 

class  test 
{ 

public  static  void  pl(int  x,  int  y) 

{ 

int  a  =  x; 
int  b  =  0; 
while  (a  >  0) { 

b  =  b  +  1; 

a  =  a  -  1 ; 
} 
y  =  b; 


The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 
Constraint  set:  {ii4  =  in,  Xi2<  U,  is  =  U,  x?  =  X4,  X2  <  U,  in  =  is, 

18  <  T6,  T6  =  13.  17  =  16.  T3  <  T6.  T]  i  <  T9.  T9  =  T2, 

TlO  =  19,  X2  <  T9,  Tl4  <  Tl3,  Tl  =  Tl3,  13  <  Tl3,  to  <  X2 } 

Gamma  =         pi:  Ti2proc(iovar,  iivar) 

A  partial  trace  of  the  analysis  of  this  program  is  shown  in  Chapter  VI. 
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//  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  +  *  +  +  *  +  +  +  +  +  •*-  +  +  -*-  +  +  -*•■*-•*■•*■  +  +  +  +  ■*-  +  •*•  +  +  +  +  +  +  ■*■  +  ■*•■*•* 

//  File:  test. Java 

//  Date:  24  Feb  98 

// 

//  Author:  LT  James  D.  Harvey,  USN 

// 

//  Purpose:   Developed  as  part  of  a  secure  information 

//  flow  static  analyzer. 

//**  +  +  +  +  +  ***  +  *  +  +  ********  +  +  +  +  ***  +  +  +  **  +  +  *  +  +  +  +  *  +  **  +  +  **•*■  +  +  ■*•*  +  * 

class  test 
{ 

public  static  void  pl(int  x,  int  y) 
{ 

int  a  =  x; 
int  b  =  0; 
while  (a  >  0) { 
b  =  b  +  1; 
a  =  a  -  1 ; 
} 

y  =  b; 
) 

public  static  void  p2(int  a,  int  b) 
{ 

a  =  a  +  4  ; 

b  =  b  +  2; 

if  (a  >  b)  { 

pl(b,a)  ; 
} else { 

pi  ( a , b )  ; 
} 

b  =  a  +  b; 
} 

public  static  void  main ( ) 
{ 

int  s  -  1; 
int  t  =  8; 
do{ 

p2(2,t)  ; 
t  =  t  -  1; 
} while (t  >  3) ; 
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The  output  of  the  static  analyzer  on  the  above  program  produced  the  following  results: 
1     The  First  procedure,  p  1 ,  produces: 

Constraint  set:  {xh  =  I12,  T12  <  14,  i6  =  14,  15  =  T4,  12  <  14,  19  =  i6, 

18  5:  16,  16  —  t35  1 7  =  16,  13  5:  16,  Xl  1  S  19,  19  =  T2, 
XlO  =  X9,  1 2  <  X9,  X14  <  X13,  T13  =  Ii,  I3  <  T13,  To  <  1:1 

Gamma:  pi:  xnproc  dovar,    iivar) 

2.  The  second  procedure,  p2,  produces: 

Constraint  set:  { X30  =  X17,  I29  =  in,  X20  =  in,  X19  <  in,  in  =  X15, 

Xl8  =  X17,  X15  <  X17,  T22  <  X20,  X20  =  Xi6,  X21  =  X20, 

Xl6  —  X20,  X27  =  X25,  X27  =  X23,  X29  5:  X23,  T25  =  X23, 

X24  —  X23,  X15  <  X23,  Xi6  <  X24,  X26  —  Xo,  X25  =  Xo, 

Xl6  <  X25,  X15  <  126,  X28  =  Xo,  X27  =  Xo,  X15  <  X27,  X16  <  128, 

X32  <  X30,  X30  =  Xi6,  X31  =  X30,  X15  <  X30,  Xi6  <  X31    } 

Gamma:  p2  :  inproc  (Xi.war,    x^var)  , 

pi  :  Xnproc  (Xovar,    iivar) 

3.  The  third  procedure,  main,  produces: 

Constraint  set:  {142  <  x4o,  X35  =  X40,  x4i  =  x4o,  X34  <  x4o, 

X37  =  X35,  I36  -  Xl5,  X35  =  X15,  X34  <  X36, 
X39  —  X37,  T37  =  T34,  I38  =  X37,  T34  <  T37  } 

Gamma:  main  :  i42proc  ( ) , 

p2  :  xn  proc  ( a :  iisvar,    b :  x]6var), 
pi  :  xnproc  (x:x0var,    y:T]Var) 

4.  Gamma  is  updated  with  each  procedure. 
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